Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 80
Period: 7 days
Judge: hansfriese
Total Solo HM: 2
Id: 332
League: ETH
Rank: 34/80
Findings: 2
Award: $34.38
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DarkTower
Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie
1.4652 USDC - $1.47
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L617
The claimYieldFeeShares() allows the yieldFeeRecipient to select how many shares he wants to mint to himself and then burn yieldFeeBalance. The problem is that even if he inputs _shares amount that is less than yieldFeeBalance it still sets the whole yieldFeeBalance to 0.
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L617
yieldFieldBalance is used to calculate the total debt in _totalDebt():
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L790-L792
The issue is that _totalDebt() assumes that yieldFeeBalance represents the amount of shares that the yieldFeeRecipient will redeem. However that is not the case. If yieldFeeBalance is 50 and the yieldFeeRecipient decides to mint only 5 shares for now, the whole yieldFeeBalance resets to 0.
The totalDebt() is used for a lot of checks for calculations but I assume yieldFeeBalance will be a very small fraction to have any severe impacts on these checks. Nevertheless this is something to keep in mind.
L-617 yieldFeeBalance -= _shares;
Error
#0 - c4-pre-sort
2024-03-11T21:29:47Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-11T21:29:53Z
raymondfam marked the issue as duplicate of #10
#2 - c4-pre-sort
2024-03-13T04:38:01Z
raymondfam marked the issue as duplicate of #59
#3 - c4-judge
2024-03-15T07:37:30Z
hansfriese changed the severity to 3 (High Risk)
#4 - c4-judge
2024-03-15T07:40:47Z
hansfriese marked the issue as satisfactory
32.9145 USDC - $32.91
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L305
Imagine the asset has 10 decimals and somehow the _tryGetAssetDecimals() returns false because it fails to retrieve the token decimals. Then the contract will assume that the asset has 18 decimals instead of 10.
I recommend making the transaction fail if _tryGetAssetDecimals() returns false
Some tokens (e.g. BNB) revert when approving a zero value amount (i.e. a call to approve(address, 0)).
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L869
claimPrize()If _winner is set to the zero address then the _recipient will also be set to the zero address.
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/abstract/Claimable.sol#L76-L82
totalAssets == 0 check in previewRedeemhttps://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L470-L472
You could argue that there is no point for checking if totalAssets is zero, because if it's zero then previewRedeem() will return 0 _assets. However this check is included in the previewWithdraw() function where if totalAssets is zero and the check is missing the transaction will simply revert because of devision by 0.
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L458
#0 - raymondfam
2024-03-13T07:46:21Z
Less than 5 L/NC
#1 - c4-pre-sort
2024-03-13T07:46:25Z
raymondfam marked the issue as insufficient quality report
#2 - c4-pre-sort
2024-03-13T07:46:29Z
raymondfam marked the issue as grade-c
#3 - c4-judge
2024-03-18T13:10:26Z
hansfriese marked the issue as grade-b