Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 81/111
Findings: 1
Award: $22.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Jeiwan
Also found by: 0xSmartContract, 0xStalin, 3docSec, ABAIKUNANBAEV, btk, dev0cloo, dirk_y, grearlake, jaraxxus, keccak123, neumo, oxchsyston, rvierdiiev
22.9603 USDC - $22.96
Malicious yield vault owners can steal depositor's assets.
yieldVault_ is the Address of the ERC4626 vault in which assets are deposited to generate yield. After tokens are deposited into the vault, the deposit function of yieldVault is called. Since anyone can create a yieldVault and anyone can create a vault, the deposit function called may not work as the intended ERC4626 function. If the yield vault creator is malicious, the deposit function can have code that transfers all assets from the depositor to the owner instead of minting shares.
SafeERC20.safeTransferFrom( _asset, _caller, address(this), _assetsDeposit != 0 ? _assetsDeposit : _assets ); } _yieldVault.deposit(_assets, address(this)); _mint(_receiver, _shares);
The deposit function of the yieldVault can take the deposited assets from the user and route it to the malicious owner without minting any shares.
Manual Review
Make sure that all yield vaults can be trusted. Have a whitelist to check that yield vault owners that intends to create the pool together vault has a proper vault set up first.
ERC4626
#0 - c4-judge
2023-07-16T21:49:24Z
Picodes marked the issue as duplicate of #324
#1 - c4-judge
2023-08-06T10:45:22Z
Picodes marked the issue as satisfactory