Open code423n4 opened 1 year ago
Picodes marked the issue as duplicate of #406
Picodes marked the issue as selected for report
asselstine marked the issue as sponsor confirmed
Fixed in this PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/7
Picodes marked the issue as satisfactory
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Vulnerability details
Impact
The
Vault.mintYieldFee
external function is used to mintVault shares
to the yield fee_recipient
. The function is an external function and can be called by anyone since there is no access control. The function will revert only under following two conditions:_shares
are greater than the accrued_yieldFeeTotalSupply
.The issue with this function is it allows the caller to set the
_recipient
(Address of the yield fee recipient). It does not use the_yieldFeeRecipient
state variable which was set in theVault.constructor
as theyield fee recipient
.Which means any one can steal the available
yield fee
from this vault (As long as above two revert conditions are not satisfied) byminting shares
to his own address or to any address of his choice.Proof of Concept
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to use the
_yieldFeeRecipient
state variable value as theyield fee recipient
inside theVault.mintYieldFee
external function and to remove the input parameteraddress _recipient
from theVault.mintYieldFee
function. So that the caller will not be able to mint shares to any arbitory address of his choice and steal the yield fee of the protocol.The updated function should be as follows:
Assessed type
Other