c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #396
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #396
c4-judge
commented
1 year ago Picodes changed the severity to 3 (High Risk)
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394
Vulnerability details
Impact
There is a function called mintYieldFee in the Vault.sol file which someone can call and pass it a reciever address to receive some shares of the vault. In the constructor a variable called "_yieldFeeRecipient" is set, which I assume is the address which should receive the shares up to _yieldFeeTotalSupply. However, the function is external and does not have any restrictions on who can call it, therefore anyone can mint himself extra shares that he should not have.
Tools Used
Manual Review
Recommended Mitigation Steps
One solution could be: inside the mintYieldFee function there is a call "_mint(_recipient, _shares);". Instead of allowing someone to pass the _recipient as a function argument, it could be switched with the _yieldFeeRecipient variable => _mint(_yieldFeeRecipient, _shares). This way, the shares will belong to the intended address.
Assessed type
Access Control