search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

Anyone can mint yield fee to any recipient #335

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394

Vulnerability details

Impact

Anyone can come and claim the yield fee for themselves.

Proof of Concept

In testLiquidateAndMintFees in Liquidate.t.sol just change this line:

vault.setYieldFeeRecipient(bob);

to a random address

vault.setYieldFeeRecipient(0xc0ffee);

and keeping that line:

vault.mintYieldFee(_yieldFeeShares, bob);

by running forge test --match-test testLiquidateAndMintFees it returns no errors.

Fee shares are minting to bob even though is not the fee recipient.

Tools Used

foundry

Recommended Mitigation Steps

Send fees to the right recipient

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #396

c4-judge commented 1 year ago

Picodes changed the severity to 3 (High Risk)

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory