Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 107/111
Findings: 1
Award: $2.25
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron
2.2492 USDC - $2.25
The function mintYieldFee in Vault.sol does not have any access restrictions.
Consequently, anyone has the capability to mint Vault shares and allocate them to any recipient without limitations or restrictions.
function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply); _yieldFeeTotalSupply -= _shares; _mint(_recipient, _shares); emit MintYieldFee(msg.sender, _recipient, _shares); }
The function mintYieldFee in Vault.sol serves the purpose of minting Vault shares and allocating them to the yield fee recipient specified by _recipient.
However, it lacks a modifier to restrict access to this function.
As a result, anyone can call this function and mint Vault shares for any recipient of their choice without any limitations or restrictions.
Indeed, the absence of access restrictions and proper validation in the mintYieldFee function of Vault.sol can lead to the loss of the intended yield fee.
As anyone can call this function and mint Vault shares for any recipient, it can result in unauthorized or unintended allocation of the yield fee, potentially leading to financial losses or incorrect distribution of funds.
It is crucial to add a modifier that restricts the access to the mintYieldFee function in order to ensure proper control and prevent unauthorized usage.
By implementing a suitable modifier, such as onlyOwner or onlyAdmin, you can restrict the function's execution to only authorized individuals or entities.
This helps maintain the integrity of the yield fee allocation process and reduces the risk of unintended or unauthorized minting of Vault shares.
Access Control
#0 - c4-judge
2023-07-18T15:52:22Z
Picodes marked the issue as duplicate of #396
#1 - c4-judge
2023-08-05T22:03:36Z
Picodes marked the issue as satisfactory
#2 - c4-judge
2023-08-05T22:03:51Z
Picodes changed the severity to 3 (High Risk)