Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 109/111
Findings: 1
Award: $2.25
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron
2.2492 USDC - $2.25
There is a function called mintYieldFee in the Vault.sol file which someone can call and pass it a reciever address to receive some shares of the vault. In the constructor a variable called "_yieldFeeRecipient" is set, which I assume is the address which should receive the shares up to _yieldFeeTotalSupply. However, the function is external and does not have any restrictions on who can call it, therefore anyone can mint himself extra shares that he should not have.
Manual Review
One solution could be: inside the mintYieldFee function there is a call "_mint(_recipient, _shares);". Instead of allowing someone to pass the _recipient as a function argument, it could be switched with the _yieldFeeRecipient variable => _mint(_yieldFeeRecipient, _shares). This way, the shares will belong to the intended address.
Access Control
#0 - c4-judge
2023-07-16T22:20:18Z
Picodes marked the issue as duplicate of #396
#1 - c4-judge
2023-08-05T22:03:51Z
Picodes changed the severity to 3 (High Risk)
#2 - c4-judge
2023-08-05T22:04:38Z
Picodes marked the issue as satisfactory