Anyone can claim the yield fees and mint the extra shares to their address. The shares can then be redeemed for assets.
Proof of Concept
The Vault.mintYieldFee function allow minting the yield fee that was set out during liquidations. The function can be called by anyone and an arbitrary fee recipient address can be provided, allowing anyone to steal accumulated yield fee.
The contract defines the _yieldFeeRecipient state variable, which is the address that's expected to receive yield fees. However, the variable is not used in the Vault.mintYieldFee function.
Tools Used
Manual review
Recommended Mitigation Steps
In the Vault.mintYieldFee function, consider minting shares only to the address specified in the _yieldFeeRecipient state variable.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394
Vulnerability details
Impact
Anyone can claim the yield fees and mint the extra shares to their address. The shares can then be redeemed for assets.
Proof of Concept
The Vault.mintYieldFee function allow minting the yield fee that was set out during liquidations. The function can be called by anyone and an arbitrary fee recipient address can be provided, allowing anyone to steal accumulated yield fee.
The contract defines the _yieldFeeRecipient state variable, which is the address that's expected to receive yield fees. However, the variable is not used in the
Vault.mintYieldFee
function.Tools Used
Manual review
Recommended Mitigation Steps
In the
Vault.mintYieldFee
function, consider minting shares only to the address specified in the_yieldFeeRecipient
state variable.Assessed type
Access Control