Back to 0xlemon's contests

PoolTogether - 0xlemon's results

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 80

Period: 7 days

Judge: hansfriese

Total Solo HM: 2

Id: 332

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 51/80

Findings: 1

Award: $1.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: DarkTower

Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie

Awards

1.4652 USDC - $1.47

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
:robot:_10_group
duplicate-59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L614-L617

Vulnerability details

Impact

PrizeVault::claimYieldFeeShares can only be called by the yieldFeeRecipient to claim the fees. The yieldFeeRecipient can specify the exact amount of shares he wants to claim, however this is a problem because the yieldFeeBalance is reset every time, no matter how many shares the yieldFeeRecipient claimed.

Proof of Concept

function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
    if (_shares == 0) revert MintZeroShares();

    uint256 _yieldFeeBalance = yieldFeeBalance;
    if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);
    // @audit this should be shares
    yieldFeeBalance -= _yieldFeeBalance;

    _mint(msg.sender, _shares);

    emit ClaimYieldFeeShares(msg.sender, _shares);
}

We can see that first the yieldFeeBalance is stored in _yieldFeeBalance and then subtracted with the same amount even if the yieldFeeRecipient doesn't claim all the fees.

This leaves unclaimed fees and affects the _totalDebt since it would return less than it actually is.

Tools Used

Manual Review

Subtract the shares from yieldFeeBalance instead of reseting it.

    yieldFeeBalance -= _shares;

Assessed type

Other

#0 - c4-pre-sort

2024-03-11T23:08:12Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-03-11T23:08:19Z

raymondfam marked the issue as duplicate of #10

#2 - c4-pre-sort

2024-03-13T04:38:44Z

raymondfam marked the issue as duplicate of #59

#3 - c4-judge

2024-03-15T07:37:30Z

hansfriese changed the severity to 3 (High Risk)

#4 - c4-judge

2024-03-15T07:38:03Z

hansfriese marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter