updatePoolOwner should call withdrawCreatorRevenue, otherwise, creator fees will be given to the next owner #341
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
insufficient quality report
This report is not of sufficient quality
🤖_primary
AI based primary recommendation
🤖_46_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/ApplyInterestLib.sol#L50-L73
https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L157-L159
Vulnerability details
Impact
Changing the pool owner without first invoking the
PredyPool::withdrawCreatorRevenue
admin will make him lose all of the accumulated fees.The issue is even worse because not only the Predy team will be able to create new pairs and it is not expected from the normal users to know that they should explicitly claim their fees, before changing the owner.
Proof of Concept
All actions in the Predy system invoke the
ApplyInterestLib::applyInterestForToken
function which is responsible for updating the fee and premium growth as well as the interest and most importantly for our issue: accruingaccumulatedProtocolRevenue
andaccumulatedCreatorRevenue
that belong to the pool operator and pool owner respectively, so in pools with a high activity they will be accruing a lot of funds to belonging to their claimers.ApplyInterestLib.sol
At any time these fees can be claimed from
PredyPool::withdrawProtocolRevenue
andPredyPool::withdrawCreatorRevenue
.The issue is that the pool owner have the ability to change the pool ownership and give it to another user, but it is performed without first claiming the fees from
PredyPool::withdrawCreatorRevenue
.PredyPool.sol
The impact is that the pool owners will be losing all of their designated creator fees if they do not manually call the function to claim their fees, which will lead to loss.
Tools Used
Manual Review
Recommended Mitigation Steps
Invoke
PredyPool::withdrawCreatorRevenue
in theupdatePoolOwner
function.Assessed type
Governance
The text was updated successfully, but these errors were encountered: