The main invariant that PT and its YT should have an equal supply at all times can be broken

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L57-L61

Vulnerability details

Impact

The sponsor mentioned in Main invariants that PT and its YT should have an equal supply at all times, but YieldToken.sol#burn can be called by the user, which can obviously cause the supply of YieldToken to be reduced.

Proof of Concept

When PT is minted, an equal amount of YT is minted. This ensures that PT and its YT have an equal supply.

    function _depositIBT(
        uint256 _ibts,
        address _ptReceiver,
        address _ytReceiver
    ) internal notExpired nonReentrant whenNotPaused returns (uint256 shares) {
        updateYield(_ytReceiver);
        uint256 tokenizationFee = PrincipalTokenUtil._computeTokenizationFee(
            _ibts,
            address(this),
            registry
        );
        _updateFees(tokenizationFee);
        shares = _convertIBTsToShares(_ibts - tokenizationFee, false);
        if (shares == 0) {
            revert RateError();
        }
        _mint(_ptReceiver, shares);
        emit Mint(msg.sender, _ptReceiver, shares);
        IYieldToken(yt).mint(_ytReceiver, shares);
    }

PT does not provide a burn function, which ensures that users cannot reduce the supply of PT by themselves.

    function burn(uint256 amount) public override {
        IPrincipalToken(pt).updateYield(msg.sender);
        _burn(msg.sender, amount);
    }

But in YT, there is a burn function, which any user can call to reduce the supply of YT owned by themselves. Although this will cause a loss of their own profits, it does break the invariant.

Tools Used

Manual Review

Recommended Mitigation Steps

Delete the burn function in YT.

Assessed type

Other

[c4-pre-sort]

gzeon-c4 marked the issue as duplicate of #114

[c4-pre-sort]

gzeon-c4 marked the issue as sufficient quality report

[c4-judge]

JustDravee marked the issue as unsatisfactory: Invalid