Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 55/111
Findings: 2
Award: $165.56
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron
2.2492 USDC - $2.25
Anyone can call mintYieldFee function to claim the Yield fees due to missing access control check.
During Vault initialize, the owner set the yieldFeeRecipient address, this address supposed to be the only entity who can mint the yield fee. Similar to the _liquidationPair and _claimer addresses.
Unlike the liquidate function which checks the sender and claimPrizes, the function mintYieldFee doesn't check if the msg.sender == yieldFeeRecipient allowing anyone to call it.
Manual
Add require check to confirm the sender is the yieldFeeRecipient
Access Control
#0 - c4-judge
2023-07-14T22:24:16Z
Picodes marked the issue as duplicate of #396
#1 - c4-judge
2023-08-05T22:03:29Z
Picodes marked the issue as satisfactory
🌟 Selected for report: 0xkasper
Also found by: 0xStalin, 0xbepresent, 3docSec, Aymen0909, Co0nan, GREY-HAWK-REACH, Jeiwan, minhtrng, qpzm
163.3108 USDC - $163.31
An attacker can force delegate any user to the sponsorship address without his permission.
The function sponsor calls _sponsor internally passing the assets and the _receiver address. The _receiver address is the user who will receive the vault shares.
The issue here is that the _sponsor function invoke _twabController.sponsor(_receiver); passing the _receiver instead of the msg.sender, the function _twabController.sponsor will call _delegate function internally passing the receiver as the from address.
The function _delegate will update the delegates mapping of the from in the vault to the sponsorship address.
Attacker can pass the assets as Zero which result in zero share minted but he managed to delegate the victim to the sponsorship address.
Manual
Use msg.sender instead of receiver when calling _twabController.sponsor();
Context
#0 - c4-judge
2023-07-18T15:47:15Z
Picodes marked the issue as duplicate of #393
#1 - c4-judge
2023-08-06T10:30:11Z
Picodes changed the severity to 3 (High Risk)
#2 - c4-judge
2023-08-06T10:30:19Z
Picodes marked the issue as satisfactory