search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

`mintYieldFee` allows to pass an arbitrary recipient for yield fee meaning anybody can mint shares for free #199

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Impact

Anyone can pass an arbitrary recipient in mintYieldFee function to mint free shares.

Proof of Concept

When someone calls a liquidate function on a vault, the yieldFeeTotalSupply is increased if yieldFeePercentage != 0

    if (_yieldFeePercentage != 0) {
      _increaseYieldFeeBalance(
        (_amountOut * FEE_PRECISION) / (FEE_PRECISION - _yieldFeePercentage) - _amountOut
      );
    }

This yield fee can then be withdrawn through a mintYieldFee function. The issue is that instead of transfering the yield fee to the _yieldFeeRecipient (a state variable), the function takes an arbitrary address as the recipient, meaning that anyone can mint free shares.

Tools Used

Manual review

Recommended Mitigation Steps

Transfer the yield fee to the _yieldFeeRecipient directly.

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #396

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory