The mintYieldFee function can be called by anyone, and the yieldFee can be sent to any address. In that way, anyone can get a yield fee. Also, there is a storage variable yieldFeeRecipient (and setter function setYieldFeeRecipient with onlyOwner modifier), so the yieldFee should be sent to this address.
As you can see from the code above, _yieldFeeRecipient is the bob address, but the mintYieldFee function is called with eve address for function parameter _recipient, so the yieldFee is sent to the eve address. In that way, it is proved that the yieldFee could be sent to any address.
Tools Used
Manual review
Recommended Mitigation Steps
Parameter _recipient should be removed from the mintYieldFee function and the yieldFee should be sent to the _yieldFeeRecipient address.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394
Vulnerability details
Impact
The
mintYieldFee
function can be called by anyone, and theyieldFee
can be sent to any address. In that way, anyone can get a yield fee. Also, there is a storage variableyieldFeeRecipient
(and setter functionsetYieldFeeRecipient
withonlyOwner
modifier), so theyieldFee
should be sent to this address.Proof of Concept
As you can see from the code above,
_yieldFeeRecipient
is thebob
address, but themintYieldFee
function is called witheve
address for function parameter_recipient
, so theyieldFee
is sent to theeve
address. In that way, it is proved that theyieldFee
could be sent to any address.Tools Used
Manual review
Recommended Mitigation Steps
Parameter
_recipient
should be removed from themintYieldFee
function and theyieldFee
should be sent to the_yieldFeeRecipient
address.Assessed type
Access Control