search

code-423n4 / 2023-07-pooltogether-findings

12 stars 7 forks source link

No access control on mintYieldFee #454

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Impact

Lack of access-control allows anyone to mint the yield fee to himself.

Proof of Concept

Vault.mintYieldFee does not restrict the _recipient yield fees:

  function mintYieldFee(uint256 _shares, address _recipient) external {
    _requireVaultCollateralized();
    if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);

    _yieldFeeTotalSupply -= _shares;
    _mint(_recipient, _shares);

    emit MintYieldFee(msg.sender, _recipient, _shares);
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Dont use an extra parameter for the recipient and use the contracts _yieldFeeRecipient instead.

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #396

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory