In the Vault.constructor there is no check to verify that the user passed-in _asset for the standard vault construction and the underlying asset of the _yieldVault are the same. If standard vault is constructed with a different _asset to the one used in the yieldVault, the deposit, mint, withdraw and redeem functionalities will revert.
Hence a redeployment of the Vault contract will be needed with the correct underlying asset.
If any _asset is sent to the contract directly, those assets will be permanently locked inside the Vault contract since there is no mechanism to recover the locked assets.
Hence it is recommended to check the _asset underlying token is the same as the underlying token of the _yieldVault inside the Vault.constructor function.
Furthermore it is recommended to include a function to recover the directly sent assets to the vault (which are locked) to an admin controlled reserve. This function should be only callable by the onlyOwner.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L254-L296
Vulnerability details
Impact
In the
Vault.constructor
there is no check to verify that the user passed-in_asset
for thestandard vault
construction and theunderlying asset
of the_yieldVault
are the same. If standard vault is constructed with a different_asset
to the one used in theyieldVault
, thedeposit
,mint
,withdraw
andredeem
functionalities will revert. Hence a redeployment of theVault
contract will be needed with the correct underlying asset.If any
_asset
is sent to the contract directly, those assets will be permanently locked inside theVault
contract since there is no mechanism to recover the locked assets.Proof of Concept
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L254-L296
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to check the
_asset
underlying token is the same as the underlying token of the_yieldVault
inside theVault.constructor
function.Furthermore it is recommended to include a function to recover the directly sent assets to the vault (which are locked) to an admin controlled reserve. This function should be only callable by the
onlyOwner
.Assessed type
Other