Closed code423n4 closed 11 months ago
Picodes changed the severity to 2 (Med Risk)
asselstine marked the issue as sponsor confirmed
Picodes marked the issue as duplicate of #458
Picodes marked the issue as satisfactory
Fixed by safe casting to uint96
in the _mint
function in this PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/9/files#diff-97c974f5c3c03a0cfcbc52a5b8b9ae2196d535754ff2034e2903de1fec23508aR1130
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L398 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1123
Vulnerability details
Impact
In
Vault.sol
/mintYieldFee
function:_yieldFeeTotalSupply
is updated by decreasing the_shares
amount (knowing that_yieldFeeTotalSupply
&_shares
are ofuint256
type):_mint
function: it will only mintuint96(_shares)
._yieldFeeTotalSupply
without getting an equivalent share tokens if_shares
is greater thantype(uint96).max
. Impact:_yieldFeeTotalSupply
without getting an equivalent amount of share tokens_shares
.Proof of Concept
Vault.sol/Line 398
Vault.sol/Line 1123
Tools Used
Manual Testing.
Recommended Mitigation Steps
In
mintYieldFee
function : deduct theuint96(_shares)
amount from_yieldFeeTotalSupply
:Assessed type
Math