The Vault has a mintYieldFee method that is supposed to mint vault shares to the yield fee recipient (that is set by the vault owner). However the previous implementation allowed the caller to specify an arbitrary recipient address and didn’t perform any access control which meant that anyone could steal the yield fees from the vault.
Mitigation
The new implementation has removed the recipient argument from the mintYieldFee method and now always mints the yield fee to the _yieldFeeRecipient address. Since this address can only be set in the constructor or updated by the owner of the vault, the minting of yield fees are now safe from theft. The original issues is resolved.
Lines of code
Vulnerability details
Comments
The Vault has a
mintYieldFee
method that is supposed to mint vault shares to the yield fee recipient (that is set by the vault owner). However the previous implementation allowed the caller to specify an arbitrary recipient address and didn’t perform any access control which meant that anyone could steal the yield fees from the vault.Mitigation
The new implementation has removed the
recipient
argument from themintYieldFee
method and now always mints the yield fee to the_yieldFeeRecipient
address. Since this address can only be set in the constructor or updated by the owner of the vault, the minting of yield fees are now safe from theft. The original issues is resolved.Conclusion
LGTM