Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 42/111
Findings: 1
Award: $341.44
🌟 Selected for report: 0
🚀 Solo Findings: 0
341.4422 USDC - $341.44
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L398 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1123
In Vault.sol/mintYieldFee function:
_yieldFeeTotalSupply is updated by decreasing the _shares amount (knowing that _yieldFeeTotalSupply & _shares are of uint256 type):_yieldFeeTotalSupply -= _shares;
_mint function: it will only mint uint96(_shares)._twabController.mint(_receiver, uint96(_shares));
_yieldFeeTotalSupply without getting an equivalent share tokens if _shares is greater than type(uint96).max.
Impact:_yieldFeeTotalSupply without getting an equivalent amount of share tokens _shares.File:pt-v5-vault/src/Vault.sol Line 398: _yieldFeeTotalSupply -= _shares;
File:pt-v5-vault/src/Vault.sol Line 1123: _twabController.mint(_receiver, uint96(_shares));
Manual Testing.
In mintYieldFee function : deduct the uint96(_shares) amount from _yieldFeeTotalSupply:
_yieldFeeTotalSupply -= uint96(_shares);
Math
#0 - c4-judge
2023-07-18T18:15:49Z
Picodes changed the severity to 2 (Med Risk)
#1 - c4-sponsor
2023-07-20T22:34:28Z
asselstine marked the issue as sponsor confirmed
#2 - c4-judge
2023-08-07T16:38:48Z
Picodes marked the issue as duplicate of #458
#3 - c4-judge
2023-08-08T14:29:38Z
Picodes marked the issue as satisfactory
#4 - PierrickGT
2023-08-10T03:56:24Z
Fixed by safe casting to uint96 in the _mint function in this PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/9/files#diff-97c974f5c3c03a0cfcbc52a5b8b9ae2196d535754ff2034e2903de1fec23508aR1130