search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

No access control for `mintYieldFee()` #389

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394

Vulnerability details

Impact

Anyone can mint the yield fee using mintYieldFee().

Proof of Concept

mintYieldFee() mints the shares for yield fee.

  function mintYieldFee(uint256 _shares, address _recipient) external {
    _requireVaultCollateralized();
    if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);

    _yieldFeeTotalSupply -= _shares;
    _mint(_recipient, _shares);

    emit MintYieldFee(msg.sender, _recipient, _shares);
  }

This function mints the shares to the _recipient and reduces _yieldFeeTotalSupply accordingly.

But there is no access control here and anyone can steal the yield fee using this function.

Tools Used

Manual Review

Recommended Mitigation Steps

mintYieldFee() should have a whitelist for callers.

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #396

c4-judge commented 11 months ago

Picodes changed the severity to 3 (High Risk)

c4-judge commented 11 months ago

Picodes marked the issue as satisfactory