Closed code423n4 closed 1 year ago
Regrouping here all issues related to using the permissionless nature of the factory to create a malicious deployment, and abusive usage of owner privileges
Picodes marked the issue as primary issue
This the point of V5: we are replacing protocol gatekeeping with curation by front-ends.
The responsibility of curation will rest on front-ends, who will curate which vaults they show their users.
asselstine marked the issue as sponsor acknowledged
I'll keep this issue as a valid Medium to highlight the importance of properly checking deployments or trusting the front-end.
Picodes marked the issue as satisfactory
Picodes changed the severity to 2 (Med Risk)
Picodes marked issue #300 as primary and marked this issue as a duplicate of 300
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L55 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L254
Vulnerability details
Impact
Malicious
vaultowner
can depoy vault using malicioustwabcontroller
,yieldvault
andprizepool
contracts that can put users' funds at risk.Proof of Concept
In the contract vaultfactory.sol, the function
deployvault
is used to deploy new vaults and then push it to theallvaults
array. The addresses of thetwabcontroller
,yieldvault
andprizepool
were passed as input in the function but were not validated before the vault was deployed, in thecunstructor()
of the vaults.sol contract, the if statement only checks that the addresses are not the zero address, but does not ensure that the addresses are the right ones.Tools Used
Manual review
Recommended Mitigation Steps
ensure proper validation since these parameters are passed in manually which can possibly lead to some typos.
Assessed type
Invalid Validation