New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yieldFeeBalance
wouldn't be claimed after calling transferTokensOut()
.
#244
Comments
raymondfam marked the issue as insufficient quality report |
raymondfam marked the issue as duplicate of #319 |
On top of the comments on #319, _tokenOut is just a specifier whether to mint shares or to withdraw assets to the receiver. And the yieldFee added to yieldFeeBalance will be incorporated into totalDebt. The yield fee recipient will be able to claim it anytime unrestricted via the pull method. |
hansfriese marked the issue as not a duplicate |
hansfriese marked the issue as satisfactory |
Similar to #91, this issue outlines the need for the TWAB supply limit checks to account for the yield fee balance so that the entire yield fee balance is always available to be realized as shares. |
trmid (sponsor) confirmed |
hansfriese marked the issue as selected for report |
mitigation: GenerationSoftware/pt-v5-vault#93 |
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L692
Vulnerability details
Impact
yieldFeeBalance
wouldn't be claimed after callingtransferTokensOut()
due to the twab supply limit.Proof of Concept
When
_tokenOut == address(this)
,liquidatableBalanceOf()
mints shares to the receiver and accumulatesyieldFeeBalance
accordingly.But when it checks the maximum liquidatable amount in liquidatableBalanceOf(), it validates the twap supply limit with the liquidYield only and it might meet the supply limit while minting yieldFeeBalance like the below.
totalSupply = 6e28, yieldFeeBalance = 0, twabSupplyLimit = 2^96 - 1 = 7.9e28
and the vault has enough available yield.liquidatableBalanceOf(_tokenOut = address(this))
will return_maxAmountOut = 7.9e28 - 6e28 = 1.9e28
when _liquidYield > _maxAmountOut.transferTokensOut()
with_amountOut = 1.9e28
, _yieldFee will be added toyieldFeeBalance
but it can't be claimed as we met the twap supply limit already.Tools Used
Manual Review
Recommended Mitigation Steps
liquidatableBalanceOf() shouldn't apply
yieldFeePercentage
to compare with_maxAmountOut
when_tokenOut == address(this)
.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: