c4-judge
commented
1 year ago Picodes marked the issue as primary issue
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as primary issue
c4-sponsor
commented
1 year ago asselstine marked the issue as sponsor acknowledged
Picodes
commented
1 year ago c4-judge
commented
1 year ago Picodes changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago Picodes marked the issue as grade-b
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L573-L575
Vulnerability details
Impact
liquidateis the only function where_increaseYieldFeeBalanceis called._increaseYieldFeeBalanceincreases the value of_yieldFeeTotalSupply. When_liquidationPaircallsliquidate, the call can get frontrun by the contract owner calling_setYieldFeePercentage, which changes the percentage of_amountOutthat is passed to_increaseYieldFeeBalanceand in doing directly changes the value of_yieldFeeTotalSupply.Proof of Concept
The call to
_increaseYieldFeeBalance, which increases the value of_yieldFeeTotalSupply, takes place inliquidatehttps://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L573-L575
But
setYieldFeePercentagecan be called at any time by the owner, such as by frontrunning, allowing the amount of value accumulated for the_yieldFeeRecipientto be fully controlled by the owner.https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L691-L697
Tools Used
Manual review
Recommended Mitigation Steps
Create a new state variable
_lastYieldUpdatethat stores the currentblock.timestampinside ofsetYieldFeePercentage. A check can then be introduced inliquidateto revert or take other actions ifblock.timestamp == _lastYieldUpdate, which will prevent a user from becoming a victim of frontrunning from the contract owner.Assessed type
MEV