Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 80
Period: 7 days
Judge: hansfriese
Total Solo HM: 2
Id: 332
League: ETH
Rank: 77/80
Findings: 1
Award: $1.47
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DarkTower
Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie
1.4652 USDC - $1.47
The claimYieldFeeShares method is intended to claim the yield fee in shares based on _shares parameter. The yield fee recipient passes the number of shares it wants to claim, which is then compared with the yieldFeeBalance which should represent the amount of claimable shares for the recipient. In case _shares parameter is lower than yieldFeeBalance, it will mint the _shares amount of shares but will reset the yieldFeeBalance to 0 in any case. The result is that the yield fee recipient receives fewer shares than it should, and the value that would come from the rest of the shares is lost to him and the assets are shared with the depositors.
function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient { if (_shares == 0) revert MintZeroShares(); uint256 _yieldFeeBalance = yieldFeeBalance; if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance); @> yieldFeeBalance -= _yieldFeeBalance; _mint(msg.sender, _shares); emit ClaimYieldFeeShares(msg.sender, _shares); }
Manual review
There are multiple possible solutions for the issue.
One is to remove _shares parameter and mint the number of shares to the fee recipient based on the yieldFeeBalance value.
function claimYieldFeeShares() external onlyYieldFeeRecipient { uint256 _yieldFeeBalance = yieldFeeBalance; yieldFeeBalance = 0; _mint(msg.sender, _yieldFeeBalance); emit ClaimYieldFeeShares(msg.sender, _yieldFeeBalance); }
The other one is to leave _shares parameter but properly calculate the yieldFeeBalance based on the _shares parameter.
function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient { if (_shares == 0) revert MintZeroShares(); uint256 _yieldFeeBalance = yieldFeeBalance; if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance); yieldFeeBalance -= _shares; _mint(msg.sender, _shares); emit ClaimYieldFeeShares(msg.sender, _shares); }
Error
#0 - c4-pre-sort
2024-03-11T21:38:39Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-11T21:38:46Z
raymondfam marked the issue as duplicate of #10
#2 - c4-pre-sort
2024-03-13T04:38:08Z
raymondfam marked the issue as duplicate of #59
#3 - c4-judge
2024-03-15T07:40:39Z
hansfriese marked the issue as satisfactory