search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

`mintYieldFee` allows anyone to steal yield fees #236

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394

Vulnerability details

Impact

The intent of mintYieldFee is to convert the shares that have been collected to the _yieldFeeRecipient with internal accounting to be minted to the address of the assigned recipient. Instead, anyone can call mintYieldFee and assign their address as recipient, taking the fees intended for _yieldFeeRecipient.

Proof of Concept

mintYieldFee has no access modifier and allows _recipient to be set by the caller. The chosen _recipient will receive shares minted to them, taking value from the Vault.

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394

Tools Used

Manual review

Recommended Mitigation Steps

Remove the _recipient argument from mintYieldFee. Modify the mint action to mint directly to _yieldFeeRecipient which is set by the owner.

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #396

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory