PoolTogether - y4y's results

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 80

Period: 7 days

Judge: hansfriese

Total Solo HM: 2

Id: 332

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 66/80

Findings: 1

Award: $1.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: DarkTower

Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie

Awards

1.4652 USDC - $1.47

Labels

bug

3 (High Risk)

satisfactory

sufficient quality report

upgraded by judge

:robot:_10_group

duplicate-59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617

Vulnerability details

Impact

Incorrect amount of value will be decreased for yieldFeeBalance, and can potentially cause lose of share a recipient can get.

Proof of Concept

In function claimYieldFeeShares, fee recipient claims the yield fees and will be minted for equal amount of shares asked for:

    function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
        if (_shares == 0) revert MintZeroShares();

        uint256 _yieldFeeBalance = yieldFeeBalance;
        if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);

        yieldFeeBalance -= _yieldFeeBalance;

        _mint(msg.sender, _shares);

        emit ClaimYieldFeeShares(msg.sender, _shares);
    }

But, in the function, yield balance is not decreased by the shares claimed for, instead, it's deducted by _yieldFeeBalance, which is essentially itself as:

uint256 _yieldFeeBalance = yieldFeeBalance;

This will clear out all yield balance, despite shares claimed may not be all of the yield fees. This will cause fee recipient receive less shares than expected.

Tools Used

Manual review.

Recommended Mitigation Steps

Change the deduction to:

yieldFeeBalance -= _shares;

Assessed type

Context

#0 - c4-pre-sort
2024-03-11T21:51:39Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort
2024-03-11T21:51:45Z

raymondfam marked the issue as duplicate of #10

#2 - c4-pre-sort
2024-03-13T04:38:28Z

raymondfam marked the issue as duplicate of #59

#3 - c4-judge
2024-03-15T07:37:31Z

hansfriese changed the severity to 3 (High Risk)

#4 - c4-judge
2024-03-15T07:39:07Z

hansfriese marked the issue as satisfactory

PoolTogether - y4y's results

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] `claimYieldFeeShares` deducts the incorrect amount of value from `yieldFeeBalance` - $1.47

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-03-11T21:51:39Z

#1 - c4-pre-sort2024-03-11T21:51:45Z

#2 - c4-pre-sort2024-03-13T04:38:28Z

#3 - c4-judge2024-03-15T07:37:31Z

#4 - c4-judge2024-03-15T07:39:07Z

#0 - c4-pre-sort
2024-03-11T21:51:39Z

#1 - c4-pre-sort
2024-03-11T21:51:45Z

#2 - c4-pre-sort
2024-03-13T04:38:28Z

#3 - c4-judge
2024-03-15T07:37:31Z

#4 - c4-judge
2024-03-15T07:39:07Z