Closed code423n4 closed 1 year ago
Picodes marked the issue as primary issue
asselstine marked the issue as sponsor confirmed
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
Picodes marked the issue as partial-50
Picodes marked the issue as unsatisfactory: Out of scope
This is an attack on the YieldVault and not the Vault no? PoolTogether V5 is permissionless by nature, so user should make sure they are depositing in a Vault using a safe YieldVault.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L524-L535 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L800-L802
Vulnerability details
Impact
The attacker can steal later depositer's funds.
Proof of Concept
Scenario - Creator 'A' creates a new YieldVault and then a new PoolTogether Vault providing the address of yieldVault in constructor
Poc -
Tools Used
Manual Review
Recommended Mitigation Steps
Can be tricky to fix based on whether the yieldVault should be a new vault or a old one(high tvl). my recommendation is to check in the constructor of main vault by calling yield vault's convertToShare() function by passing in a non trivial amount as param and also making sure that yieldVault already has a non-trivial totalSupply, to check whether the yieldVault has suffered from a donation attack.
Assessed type
Other