Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 22/111
Findings: 2
Award: $1,481.83
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron
2.2492 USDC - $2.25
Anyone can steal the YieldFee available in Vault.sol
The function mintYieldFee is external and everybody can call it to mint shares. The only condition is that the number of _shares should be lower or eaqual than _yieldFeeTotalSupply
function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply); _yieldFeeTotalSupply -= _shares; _mint(_recipient, _shares); emit MintYieldFee(msg.sender, _recipient, _shares); }
This is an issue as anyone can steal the yield fee available by changing the _recipient input to any address. The different functions related to mintfee are all only callable by the the owner of the vault.
Manual review
Use the onlyOwner modifier for mintYieldFee or change the function mintYieldFee(uint256 _shares, address _recipient) to only mintYieldFee(uint256 shares) and use as recipient the yieldFeeRecipient, that is never used.
Invalid Validation
#0 - c4-judge
2023-07-14T22:20:52Z
Picodes marked the issue as duplicate of #396
#1 - c4-judge
2023-08-05T22:04:14Z
Picodes marked the issue as satisfactory
🌟 Selected for report: RedTiger
Also found by: wangxx2026, zzzitron
1479.5831 USDC - $1,479.58
The liquidate() and mintYieldFee() functions could leave the vaults undercollateralized.
_requireVaultCollateralized() is called at the beginning of mintYieldFee() and liquidate(). Or these two functions change the state, and the vault could become undercollateralized at the end of the functions.
function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);
function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares > _yieldFeeTotalSupply) revert YieldFeeGTAvailable(_shares, _yieldFeeTotalSupply);
Manual review
Call _requireVaultCollateralized() at the end of these functions instead of calling it at the beginning.
Invalid Validation
#0 - c4-judge
2023-07-18T20:02:22Z
Picodes marked the issue as duplicate of #307
#1 - c4-judge
2023-08-06T10:54:41Z
Picodes marked the issue as partial-50
#2 - c4-judge
2023-08-06T10:55:21Z
Picodes marked the issue as satisfactory
#3 - c4-judge
2023-08-06T10:55:29Z
Picodes changed the severity to 3 (High Risk)
#4 - c4-judge
2023-08-14T17:41:40Z
Picodes marked the issue as selected for report
#5 - asselstine
2023-08-17T21:02:40Z