Closed code423n4 closed 1 year ago
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Anyone can steal the yield fees.
The mintYieldFee() function in Vault.sol has no modifier and thus anyone can call this function to mint yield fees to themselves.
mintYieldFee()
function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply); _yieldFeeTotalSupply -= _shares; _mint(_recipient, _shares); emit MintYieldFee(msg.sender, _recipient, _shares); }
There is an assigned yieldFeeRecipient_ done in the constructor and the owner can change the yield fee recipient by calling setYieldFeeRecipient(). The fees should only go to the yield fee recipient.
yieldFeeRecipient_
setYieldFeeRecipient()
constructor( _setYieldFeeRecipient(yieldFeeRecipient_);
function setYieldFeeRecipient(address yieldFeeRecipient_) external onlyOwner returns (address) { address _previousYieldFeeRecipient = _yieldFeeRecipient; _setYieldFeeRecipient(yieldFeeRecipient_); emit YieldFeeRecipientSet(_previousYieldFeeRecipient, yieldFeeRecipient_); return yieldFeeRecipient_; }
Manual Review
Make sure mintYieldFee() has an OnlyOwner modifier or lock the recipient to the yieldFeeRecipient_ set in _setYieldFeeRecipient()
_setYieldFeeRecipient()
function _setYieldFeeRecipient(address yieldFeeRecipient_) internal { _yieldFeeRecipient = yieldFeeRecipient_; }
Context
Picodes marked the issue as duplicate of #396
Picodes changed the severity to 3 (High Risk)
Picodes marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Vulnerability details
Impact
Anyone can steal the yield fees.
Proof of Concept
The
mintYieldFee()
function in Vault.sol has no modifier and thus anyone can call this function to mint yield fees to themselves.There is an assigned
yieldFeeRecipient_
done in the constructor and the owner can change the yield fee recipient by callingsetYieldFeeRecipient()
. The fees should only go to the yield fee recipient.Tools Used
Manual Review
Recommended Mitigation Steps
Make sure
mintYieldFee()
has an OnlyOwner modifier or lock the recipient to theyieldFeeRecipient_
set in_setYieldFeeRecipient()
Assessed type
Context