PoolTogether - Daniel526's results

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622

Vulnerability details

Impact

The incorrect subtraction of _yieldFeeBalance instead of _shares in the claimYieldFeeShares function can lead to an incorrect calculation of the available yield fee balance. As a result, the yield fee shares distributed to the yield fee recipient may not accurately reflect the actual available balance, potentially causing financial discrepancies and loss of funds.

Proof of Concept

The claimYieldFeeShares function in the PrizeVault contract subtracts the wrong variable when updating the yieldFeeBalance. The current implementation subtracts _yieldFeeBalance instead of _shares, which leads to an incorrect calculation of the available yield fee balance. This flaw can result in an inaccurate distribution of yield fee shares and potential loss of funds.

/// @notice Transfers yield fee shares to the yield fee recipient
/// @param _shares The shares to mint to the yield fee recipient
/// @dev Emits a `ClaimYieldFeeShares` event
/// @dev Will revert if the caller is not the yield fee recipient or if zero shares are withdrawn
function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
    if (_shares == 0) revert MintZeroShares();
    uint256 _yieldFeeBalance = yieldFeeBalance;
    if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);
    yieldFeeBalance -= _yieldFeeBalance;
    _mint(msg.sender, _shares);
    emit ClaimYieldFeeShares(msg.sender, _shares);
}

Tools Used

Manual

Recommended Mitigation Steps

The claimYieldFeeShares function should be updated to subtract _shares from yieldFeeBalance instead of _yieldFeeBalance.

Assessed type

Context