c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #396
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #396
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394
Vulnerability details
Impact
Anyone can claim the yield fees and mint the extra shares to their address. The shares can then be redeemed for assets.
Proof of Concept
The Vault.mintYieldFee function allow minting the yield fee that was set out during liquidations. The function can be called by anyone and an arbitrary fee recipient address can be provided, allowing anyone to steal accumulated yield fee.
The contract defines the _yieldFeeRecipient state variable, which is the address that's expected to receive yield fees. However, the variable is not used in the
Vault.mintYieldFeefunction.Tools Used
Manual review
Recommended Mitigation Steps
In the
Vault.mintYieldFeefunction, consider minting shares only to the address specified in the_yieldFeeRecipientstate variable.Assessed type
Access Control