Platform: Code4rena
Start Date: 16/10/2023
Pot Size: $60,500 USDC
Total HM: 16
Participants: 131
Period: 10 days
Judge: 0xTheC0der
Total Solo HM: 3
Id: 296
League: ETH
Rank: 104/131
Findings: 1
Award: $6.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: YusSecurity
Also found by: 0xAsen, 0xCiphky, 0xDING99YA, 0xKbl, 0xSwahili, 0xbepresent, 3docSec, AS, Aymen0909, DeFiHackLabs, GREY-HAWK-REACH, KeyKiril, MiloTruck, QiuhaoLi, Silvermist, SovaSlava, TrungOre, VAD37, Vagner, Yanchuan, ZdravkoHr, ast3ros, cartlex_, d3e4, deth, ggg_ttt_hhh, gizzy, kodyvim, nirlin, nobody2018, rvierdiiev, serial-coder, sl1, tallo, xeros
6.6715 USDC - $6.67
https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketWithdrawals.sol#L166-L170 https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketBase.sol#L172-L176
Detailed description of the impact of this finding.
In the _blockAccount function and when creating the escrow contract in executeWithdrawal, the parameters are being passed in the wrong order. Specifically, the account address is being passed first, and the borrower's address is being passed second. This mistake is causing several problems.
The most significant issue is that, as a result of this mistake, after a lender is sanctioned and their assets are moved to an escrow contract, contrary to the expected behaviour, the escrow is releasable. Since in the escrow the account address is actually the borrower address, a borrower can call releaseEscrow and have the funds transferred to themselves.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Adding the following test to the WildcatMarketWithdrawals.t.sol
function test_borrowerCanReleaseEscrow() external { _deposit(alice, 1e18); _requestWithdrawal(alice, 1e18); fastForward(parameters.withdrawalBatchDuration); sanctionsSentinel.sanction(alice); address escrow = sanctionsSentinel.getEscrowAddress(alice, borrower, address(asset)); vm.expectEmit(address(asset)); emit Transfer(address(market), escrow, 1e18); vm.expectEmit(address(market)); emit SanctionedAccountWithdrawalSentToEscrow(alice, escrow, uint32(block.timestamp), 1e18); market.executeWithdrawal(alice, uint32(block.timestamp)); bool canReleaseEscrow = WildcatSanctionsEscrow(escrow).canReleaseEscrow(); assertEq(canReleaseEscrow, true); vm.prank(borrower); assertEq(asset.balanceOf(borrower), 0); WildcatSanctionsEscrow(escrow).releaseEscrow(); assertEq(asset.balanceOf(borrower), 1e18); }
Results:
Running 1 test for test/market/WildcatMarketWithdrawals.t.sol:WithdrawalsTest [PASS] test_borrowerCanReleaseEscrow() (gas: 931809) Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.09ms
Foundry
Pass the parameters in the code linked above in the correct order
Other
#0 - c4-pre-sort
2023-10-27T02:31:54Z
minhquanym marked the issue as duplicate of #515
#1 - c4-judge
2023-11-07T11:58:16Z
MarioPoneder marked the issue as satisfactory