There is a function called mintYieldFee in the Vault.sol file which someone can call and pass it a reciever address to receive some shares of the vault. In the constructor a variable called "_yieldFeeRecipient" is set, which I assume is the address which should receive the shares up to _yieldFeeTotalSupply. However, the function is external and does not have any restrictions on who can call it, therefore anyone can mint himself extra shares that he should not have.
Tools Used
Manual Review
Recommended Mitigation Steps
One solution could be: inside the mintYieldFee function there is a call "_mint(_recipient, _shares);". Instead of allowing someone to pass the _recipient as a function argument, it could be switched with the _yieldFeeRecipient variable => _mint(_yieldFeeRecipient, _shares). This way, the shares will belong to the intended address.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394
Vulnerability details
Impact
There is a function called mintYieldFee in the Vault.sol file which someone can call and pass it a reciever address to receive some shares of the vault. In the constructor a variable called "_yieldFeeRecipient" is set, which I assume is the address which should receive the shares up to _yieldFeeTotalSupply. However, the function is external and does not have any restrictions on who can call it, therefore anyone can mint himself extra shares that he should not have.
Tools Used
Manual Review
Recommended Mitigation Steps
One solution could be: inside the mintYieldFee function there is a call "_mint(_recipient, _shares);". Instead of allowing someone to pass the _recipient as a function argument, it could be switched with the _yieldFeeRecipient variable => _mint(_yieldFeeRecipient, _shares). This way, the shares will belong to the intended address.
Assessed type
Access Control