Back to Bobface's contests

PoolTogether - Bobface's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 105/111

Findings: 1

Award: $2.25

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: Udsen

Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron

Awards

2.2492 USDC - $2.25

Labels

bug
3 (High Risk)
satisfactory
duplicate-396

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Summary

Anyone can withdraw the yield fee from the Vault contract.

Impact

The Vault contract charges a fee on the accumulated yield, which is supposed to be sent to the yieldFeeRecipient_, which itself is set in the constructor and can only be updated with the owner-protected method setYieldFeeRecipient.

The mintYieldFee method withdraws the accumulated fee. However, it takes a parameter address recipient, to which it credits the fee, instead of yieldFeeRecipient_. Since this method is not protected, the yield fee can be withdrawn by anyone by supplying an arbitrary recipient.

Proof of Concept

Link to affected code

function mintYieldFee(uint256 _shares, address _recipient) external {
    _requireVaultCollateralized();
    if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);

    _yieldFeeTotalSupply -= _shares;
    _mint(_recipient, _shares);

    emit MintYieldFee(msg.sender, _recipient, _shares);
}

Tools Used

None

Remove the address _recipient parameter and always _mint to the yieldFeeRecipient_:

function mintYieldFee(uint256 _shares) external {
    _requireVaultCollateralized();
    if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);

    _yieldFeeTotalSupply -= _shares;
    _mint(yieldFeeRecipient_, _shares);

    emit MintYieldFee(msg.sender, yieldFeeRecipient_, _shares);
}

Assessed type

Access Control

#0 - c4-judge

2023-07-14T22:21:56Z

Picodes marked the issue as duplicate of #396

#1 - c4-judge

2023-08-05T22:04:04Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter