PoolTogether - leegh's results

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L617

Vulnerability details

Impact

Yield fee shares are incorrectly reduced when claiming part of them, resulting that the remaining yield fee shares will not be able to be claimed again.

Proof of Concept

At line 617, the yieldFeeBalance is reduced by _yieldFeeBalance. However, the real claimed amount is _shares. It is possible that _shares < _yieldFeeBalance, in which case, part of the yield fee shares will be locked in the vault and will not be able to be claimed.

611:    function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
612:        if (_shares == 0) revert MintZeroShares();
613:
614:        uint256 _yieldFeeBalance = yieldFeeBalance;
615:        if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);
616:
617:=>      yieldFeeBalance -= _yieldFeeBalance;
618:
619:        _mint(msg.sender, _shares);
620:
621:        emit ClaimYieldFeeShares(msg.sender, _shares);
622:    }

https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L611-L622

Tools Used

VSCode

Recommended Mitigation Steps

After claiming, decrease yieldFeeBalance by _shares instead of _yieldFeeBalance.

    function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
        if (_shares == 0) revert MintZeroShares();

        uint256 _yieldFeeBalance = yieldFeeBalance;
        if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);

-        yieldFeeBalance -= _yieldFeeBalance;
+        yieldFeeBalance -= _shares;

        _mint(msg.sender, _shares);

        emit ClaimYieldFeeShares(msg.sender, _shares);
    }

Assessed type

Math