Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 80
Period: 7 days
Judge: hansfriese
Total Solo HM: 2
Id: 332
League: ETH
Rank: 52/80
Findings: 1
Award: $1.47
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DarkTower
Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie
1.4652 USDC - $1.47
When the yeildFeeRecipient tries to claim some amount of yeildFeeBalance by calling the claimYieldFeeShares function it will mint the given amount of shares but the remaining yeildFeeBalance will also be deducted.
Which result in loss of yeildFees for the yeildFeeRecipient.
function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient { if (_shares == 0) revert MintZeroShares(); uint256 _yieldFeeBalance = yieldFeeBalance; if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance); yieldFeeBalance -= _yieldFeeBalance; _mint(msg.sender, _shares); emit ClaimYieldFeeShares(msg.sender, _shares); }
If we look at the function it takes an argument uint256 _shares so it is clear that the caller(yeildFeeRecipient) has the choice to specify the amount of yieldFeeBalance he wants to claim.
However regardless of the given amount of _shares to claim, the function mints the given amount of _shares but will always deduct the full amount of yieldFeeBalance.
uint256 _yieldFeeBalance = yieldFeeBalance; yieldFeeBalance -= _yieldFeeBalance; _mint(msg.sender, _shares);
It mints the given amount of shares but always deducts the full amount of yieldFeeBalance.
Since the underlying asset is not withdrawn and still in the yeildVault the assets are not directly lost. It goes back to the availableYeildBalance which will go to the pricePool. There might not be direct loss of assets but the yeildFeeRecipient clearly lost his collectible fees.
manual.
Replace this line yieldFeeBalance -= _yieldFeeBalance; from the claimYieldFeeShares function with this : yieldFeeBalance -= _shares.
Or another approach would be to remove the parameter uint256 _shares and always mint the total amount of fees;
remove if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);
and change _mint(msg.sender, _shares); to _mint(msg.sender, _yieldFeeBalance);
Other
#0 - c4-pre-sort
2024-03-11T21:35:51Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-11T21:35:56Z
raymondfam marked the issue as duplicate of #10
#2 - c4-pre-sort
2024-03-13T04:38:02Z
raymondfam marked the issue as duplicate of #59
#3 - c4-judge
2024-03-15T07:37:31Z
hansfriese changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-15T07:40:45Z
hansfriese marked the issue as satisfactory