Description

When a user deposits into a bond, PTs and YTs are minted. Some of these tokens should be distributed to the fee wallet. Since each bond has its own mint of PTs and YTs, each bond needs two fee wallets specifically for those mints.

These fee wallets are passed in by the user when depositing:

#[account(
    mut,
    token::token_program = token_program,
    token::authority = protocol_fee_wallet,
)]
pub fee_wallet_pt: Box<InterfaceAccount<'info, TokenAccount>>,
#[account(
    mut,
    token::token_program = token_program,
    token::authority = protocol_fee_wallet,
)]
pub fee_wallet_yt: Box<InterfaceAccount<'info, TokenAccount>>

However, there is no constraint that the two accounts are associated token accounts for the protocol_fee_wallet authority. This means that a user could create new fee wallets for the protocol_fee_wallet account on each deposit.

Impact

The collected fees for one bond could be distributed over a large number of fee wallets, making it hard to collect and redeem fees.

Recommendations

Change the token constraint to require that they are associated token accounts.

Remediation

This issue has been acknowledged by Pye in the Sky Labs Ltd., and a fix was implemented in commit ac441d01↗.