Closed code423n4 closed 1 year ago
asselstine marked the issue as sponsor confirmed
Downgrading to Low, considering this requirement is intended only for the amount of one transaction and not for the amount held overall by someone
Picodes changed the severity to QA (Quality Assurance)
Fixed in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/commit/c864cd798d105b2106e2e0c6f63467cf784d4fad#diff-97c974f5c3c03a0cfcbc52a5b8b9ae2196d535754ff2034e2903de1fec23508aR393
We now compare _shares
to the max amount of shares the user can still mint before overflowing over uint96
.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L965-L974
Vulnerability details
Impact
A user could accumulate more shares than the defined maximum limit.
Proof of Concept
Suppose a user (
_receiver
) currently holds some shares and themaxMint
limit is defined. This user can still call themint
ormintWithPermit
function multiple times with_shares
values that, in sum, exceed themaxMint
limit. This is because themint
function's implementation does not account for the total shares a user could have after multiple mint transactions, or what they had before calling thisHere is the mint()'s function code:
Which calls the
_beforeMint()
functionTools Used
Manual Audit
Recommended Mitigation Steps
Modify the
_beforeMint
function to include a check that accounts for the sum of_shares
to be minted and the shares already minted by the_receiver
. This will ensure that users cannot exceed themaxMint
limit through multiple mint transactions.Assessed type
Invalid Validation