Anyone can call mintYieldFee() in Vault.sol and mint the Yield Fee

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Impact

Anyone can steal the yield fees.

Proof of Concept

The mintYieldFee() function in Vault.sol has no modifier and thus anyone can call this function to mint yield fees to themselves.

  function mintYieldFee(uint256 _shares, address _recipient) external {
    _requireVaultCollateralized();
    if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);

    _yieldFeeTotalSupply -= _shares;
    _mint(_recipient, _shares);

    emit MintYieldFee(msg.sender, _recipient, _shares);
  }

There is an assigned yieldFeeRecipient_ done in the constructor and the owner can change the yield fee recipient by calling setYieldFeeRecipient(). The fees should only go to the yield fee recipient.

  constructor(
    _setYieldFeeRecipient(yieldFeeRecipient_);

  function setYieldFeeRecipient(address yieldFeeRecipient_) external onlyOwner returns (address) {
    address _previousYieldFeeRecipient = _yieldFeeRecipient;
    _setYieldFeeRecipient(yieldFeeRecipient_);

    emit YieldFeeRecipientSet(_previousYieldFeeRecipient, yieldFeeRecipient_);
    return yieldFeeRecipient_;
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Make sure mintYieldFee() has an OnlyOwner modifier or lock the recipient to the yieldFeeRecipient_ set in _setYieldFeeRecipient()

  function _setYieldFeeRecipient(address yieldFeeRecipient_) internal {
    _yieldFeeRecipient = yieldFeeRecipient_;
  }

Assessed type

Context

[c4-judge]

Picodes marked the issue as duplicate of #396

[c4-judge]

Picodes changed the severity to 3 (High Risk)

[c4-judge]

Picodes marked the issue as satisfactory