_mint Function Allows Zero Address as Receiver, Resulting in Token Loss

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1122-L1127

Vulnerability details

The _mint function does not include explicit validation to prevent the receiver address from being set as the zero address. Here is the vulnerable code snippet:

function _mint(address _receiver, uint256 _shares) internal virtual override {
  _twabController.mint(_receiver, uint96(_shares));
  _updateExchangeRate();

  emit Transfer(address(0), _receiver, _shares);
}

In this code, the function allows _receiver to be any Ethereum address, including the zero address. When tokens are minted with the zero address as the receiver, they become irretrievable, leading to potential loss and disruption of contract functionality.

Impact

Tokens minted with the zero address as the receiver will not be associated with any identifiable account or entity. These tokens become permanently unrecoverable, which can lead to a loss of value and disrupt the expected ownership and tracking mechanisms within the contract.

Proof of Concept

_mint(address(0), 100);

Tools Used

manual

Recommended Mitigation Steps

Add explicit validation to ensure that the receiver address is not set as the zero address.

require(_receiver != address(0), "Invalid receiver address");

Assessed type

Other

[c4-judge]

Picodes marked the issue as unsatisfactory: Overinflated severity