Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 84/111
Findings: 2
Award: $21.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron
2.2492 USDC - $2.25
_yieldFeeTotalSupply can be drained by malicious actor which belongs to the yield fee recipient which was set at the beginning inside the constructor.
mintYieldFee have no access control and it is supposed to be called by the actual recipient of the fee which is set inside the constructor and stored in the state variable _yieldFeeRecipient which is the address of the yield fee recipient that receives the fee amount when yield is captured. https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402 The function is external and anyone can pass his address in the params of mintYieldFee as recipient further this function calls an internal function _mint https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1122-L1123 This function in turn calls _twabController.mint in _twabController.sol which expects mint function to be called by vault and the msg.sender will indeed be the vault in the context of TwabController contract https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/TwabController.sol#L457C2-L460C1
finally the fake receiver can get all the shares against _yieldFeeTotalSupply.
manual review
check if the address of _recipient is same as _yieldFeeRecipient.
Access Control
#0 - c4-judge
2023-07-18T15:52:15Z
Picodes marked the issue as duplicate of #396
#1 - c4-judge
2023-08-05T22:03:52Z
Picodes changed the severity to 3 (High Risk)
#2 - c4-judge
2023-08-05T22:04:23Z
Picodes marked the issue as satisfactory
🌟 Selected for report: Udsen
Also found by: 0x11singh99, 0xPsuedoPandit, Daniel526, Darwin, Inspecktor, Jorgect, Nyx, Praise, Tripathi, YY, catellatech, namx05, squeaky_cactus, xuwinnie
19.2867 USDC - $19.29
A malicious actor can get access to crucial functions like withdrawReserve and closeDraw.
In PrizePool contract there are two ways to set draw manager either inside the constructor or by setDrawManager which can be called by anyone if it has not been set yet. setDrawManager is wide open to the frontrunners and drawManager can make whopping changes in the protocol like withdrawing reserve and closing draw. It should be set inside the constructor and if it's not constructor then at least this function should have some access control, like it should be called only by the deployer of PrizePool contract, as per the docs there is going to be a single PrizePool contract on every chain and there can be many vaults per chain so the there can a large sum of pool tokens that can be associated with it and chances of this happening is very likely so making this of medium severity.
manual review
Put Access control on drawManager.
Access Control
#0 - c4-judge
2023-07-16T22:21:41Z
Picodes marked the issue as duplicate of #356
#1 - c4-judge
2023-08-06T10:32:09Z
Picodes marked the issue as satisfactory