PoolTogether - Krace's results

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617

Vulnerability details

Impact

In the claimYieldFeeShares function, regardless of the value of _shares, the yieldFeeBalance is consistently set to zero when called by the YieldFeeRecipient. This leads to a loss of Yield Fees.

Proof of Concept

The claimYieldFeeShares function, employed by the YieldFeeRecipient to retrieve Yield Fees, currently exhibits a flaw. Specifically, it consistently sets the yieldFeeBalance to zero, regardless of whether the _shares amount is less than the existing yieldFeeBalance. This oversight leads to a loss of Yield Fees.

    function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
        if (_shares == 0) revert MintZeroShares();

        uint256 _yieldFeeBalance = yieldFeeBalance;
        if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);
//@audit yieldFeeBalance will always become zero whatever the value of _shares is.
        yieldFeeBalance -= _yieldFeeBalance;

        _mint(msg.sender, _shares);

        emit ClaimYieldFeeShares(msg.sender, _shares);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

The yieldFeeBalance should subtract _shares rather than _yieldFeeBalance.

diff --git a/pt-v5-vault/src/PrizeVault.sol b/pt-v5-vault/src/PrizeVault.sol
index fafcff3..a2f5d81 100644
--- a/pt-v5-vault/src/PrizeVault.sol
+++ b/pt-v5-vault/src/PrizeVault.sol
@@ -614,7 +614,7 @@ contract PrizeVault is TwabERC20, Claimable, IERC4626, ILiquidationSource, Ownab
         uint256 _yieldFeeBalance = yieldFeeBalance;
         if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);

-        yieldFeeBalance -= _yieldFeeBalance;
+        yieldFeeBalance -= _shares;

         _mint(msg.sender, _shares);

Assessed type

Context