Vault will lose its `_yieldFeeTotalSupply` without getting an equivalent amount of share tokens

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L398 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1123

Vulnerability details

Impact

In Vault.sol/mintYieldFee function:

• the vault shares are minted in return of yield fees.
• the _yieldFeeTotalSupply is updated by decreasing the _shares amount (knowing that _yieldFeeTotalSupply & _shares are of uint256 type):

 _yieldFeeTotalSupply -= _shares;

• but in _mint function: it will only mint uint96(_shares).

_twabController.mint(_receiver, uint96(_shares));

• this will reduce the _yieldFeeTotalSupply without getting an equivalent share tokens if _shares is greater than type(uint96).max. Impact:
• The vault will lose from its _yieldFeeTotalSupply without getting an equivalent amount of share tokens _shares.
• Total amount of shares managed by the vault will be less than actual amount,

Proof of Concept

Vault.sol/Line 398

File:pt-v5-vault/src/Vault.sol
Line 398: _yieldFeeTotalSupply -= _shares;

Vault.sol/Line 1123

File:pt-v5-vault/src/Vault.sol
Line 1123: _twabController.mint(_receiver, uint96(_shares));

Tools Used

Manual Testing.

Recommended Mitigation Steps

In mintYieldFee function : deduct the uint96(_shares) amount from _yieldFeeTotalSupply:

_yieldFeeTotalSupply -= uint96(_shares);

Assessed type

Math

[c4-judge]

Picodes changed the severity to 2 (Med Risk)

[c4-sponsor]

asselstine marked the issue as sponsor confirmed

[c4-judge]

Picodes marked the issue as duplicate of #458

[c4-judge]

Picodes marked the issue as satisfactory

[PierrickGT]

Fixed by safe casting to uint96 in the _mint function in this PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/9/files#diff-97c974f5c3c03a0cfcbc52a5b8b9ae2196d535754ff2034e2903de1fec23508aR1130