Wrong ERC20Permit import from Openzeppelin

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L5C1-L5C103 #L5

Vulnerability details

Impact

The Vault.sol contract imported the draft-ERC20Permit from Openzeppelin contracts. However, the draft-ERC20Permit contract doesn't exist anymore in Openzeppelin contracts. Besides, the Vault.sol contract inherited ERC20Permit and not draft-ERC20Permit - https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L110C1-L110C70.

Functions in Vault.sol such as depositWithPermit, mintWithPermit, sponsorWithPermit, and _permit using the ERC20Permit abstract contract could throw unexpected behavior because of the wrong import.

Proof of Concept

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L5C1-L5C103

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L110C1-L110C70

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L427C3-L438C1

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L458C2-L472C4

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L494C1-L504C4

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1093C1-L1105C1

Tools Used

Manual review

Recommended Mitigation Steps

import { ERC20Permit, IERC20Permit } from "openzeppelin/token/ERC20/extensions/ERC20Permit.sol";

Assessed type

ERC20

[Picodes]

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.9/contracts/token/ERC20/extensions/draft-ERC20Permit.sol

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid