The current implementation of the Vault allows anyone to call the mintYieldFee() function, hence direct loss of funds. Furthermore, if the vault becomes undercollateralized, there will be no yield left to collateralize it.
Proof of Concept
The _yieldFeeTotalSupply variable represents the total accrued supply from the yield fee, which serves the purpose of collateralizing the vault if it becomes undercollateralized.
The _yieldFeeRecipient variable holds the address of the yield fee recipient who receives the fee amount when yield is captured.
_yieldFeeRecipient can withdraw their yield fee through the mintYieldFee() function, and this function is callable by anyone. Here is the current implementation:
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Vulnerability details
Impact
The current implementation of the
Vault
allows anyone to call themintYieldFee()
function, hence direct loss of funds. Furthermore, if the vault becomes undercollateralized, there will be no yield left to collateralize it.Proof of Concept
The
_yieldFeeTotalSupply
variable represents the total accrued supply from the yield fee, which serves the purpose of collateralizing the vault if it becomes undercollateralized.The
_yieldFeeRecipient
variable holds the address of the yield fee recipient who receives the fee amount when yield is captured._yieldFeeRecipient
can withdraw their yield fee through themintYieldFee()
function, and this function is callable by anyone. Here is the current implementation:As a result, anyone can mint the yield fee, and when the vault becomes undercollateralized, there will be no yield left to collateralize it.
Here is a coded POC to demonstrate the issue:
Test Result
Test Setup
VaultLiquidateTest.sol
cd vault
forge test --match-contract VaultLiquidateTest --match-test testMintingYieldFee -vvvv
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend adjusting the function to:
Assessed type
Access Control