This yield fee can then be withdrawn through a mintYieldFee function. The issue is that instead of transfering the yield fee to the _yieldFeeRecipient (a state variable), the function takes an arbitrary address as the recipient, meaning that anyone can mint free shares.
Tools Used
Manual review
Recommended Mitigation Steps
Transfer the yield fee to the _yieldFeeRecipient directly.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Vulnerability details
Impact
Anyone can pass an arbitrary
recipient
inmintYieldFee
function to mint free shares.Proof of Concept
When someone calls a liquidate function on a vault, the
yieldFeeTotalSupply
is increased ifyieldFeePercentage != 0
This yield fee can then be withdrawn through a mintYieldFee function. The issue is that instead of transfering the yield fee to the
_yieldFeeRecipient
(a state variable), the function takes an arbitrary address as the recipient, meaning that anyone can mint free shares.Tools Used
Manual review
Recommended Mitigation Steps
Transfer the yield fee to the
_yieldFeeRecipient
directly.Assessed type
Access Control