Platform: Code4rena
Start Date: 16/10/2023
Pot Size: $60,500 USDC
Total HM: 16
Participants: 131
Period: 10 days
Judge: 0xTheC0der
Total Solo HM: 3
Id: 296
League: ETH
Rank: 109/131
Findings: 1
Award: $0.16
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: 0xpiken
Also found by: 0xCiphky, 0xComfyCat, 0xStalin, 0xhegel, 0xkazim, 3docSec, AM, Aymen0909, CaeraDenoir, DeFiHackLabs, Drynooo, Eigenvectors, Fulum, HALITUS, HChang26, Jiamin, Juntao, LokiThe5th, Mike_Bello90, MiloTruck, QiuhaoLi, Silvermist, SovaSlava, SpicyMeatball, T1MOH, Toshii, TrungOre, TuringConsulting, Vagner, Yanchuan, ZdravkoHr, _nd_koo, almurhasan, audityourcontracts, ayden, cartlex_, circlelooper, crunch, cu5t0mpeo, deth, erictee, ggg_ttt_hhh, gizzy, gumgumzum, hash, jasonxiale, josephdara, ke1caM, kodyvim, lanrebayode77, marqymarq10, max10afternoon, nirlin, nonseodion, osmanozdemir1, peter, radev_sw, rvierdiiev, said, serial-coder, sl1, smiling_heretic, squeaky_cactus, stackachu, tallo, trachev, zaevlad
0.1577 USDC - $0.16
https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L134-L144 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarket.sol#L142-L161
Without ability to update maxTotalSupply, borrower has no way to raise more asset in specific market. Even worse, borrower has to pay extra interest for unused assets all the time because borrower has no way to reduce the max total supply of the market.
Similarly, borrower has to pay extra interest to the no longer used market all the time because there is no way to close it.
There are access controls on function setMaxTotalSupply() and closeMarket() Only WildcatMarketController is allowed to access them. But there is no any function in WildcatMarketController allowing borrower to access them.
Manual review
Add setMaxTotalSupply() and closeMarket() in WildcatMarketController to allow borrower access these functions:
function setMaxTotalSupply(address market, uint256 _maxTotalSupply) external onlyBorrower { WildcatMarket(market).setMaxTotalSupply(_maxTotalSupply); } function closeMarket(address market) external onlyBorrower { WildcatMarket(market).closeMarket(); }
Access Control
#0 - c4-pre-sort
2023-10-27T06:25:17Z
minhquanym marked the issue as duplicate of #162
#1 - c4-pre-sort
2023-10-27T06:58:19Z
minhquanym marked the issue as duplicate of #147
#2 - c4-judge
2023-11-07T13:50:43Z
MarioPoneder marked the issue as satisfactory
#3 - c4-judge
2023-11-07T14:14:11Z
MarioPoneder marked the issue as selected for report
#4 - laurenceday
2023-11-09T08:33:56Z
#5 - laurenceday
2023-11-09T10:37:43Z
Lodging a protest against the High Risk decision, however:
In either case, assets are not at direct risk while in the market: the definition of High Risk as given by the label is 'assets can be stolen/lost/compromised directly'. This does not apply here. It's certainly a Medium, however, and a valuable finding in and of itself.
#6 - MarioPoneder
2023-11-09T17:47:06Z
I partially agree with the sponsor. However, if the protocol was deployed with this bug, it would lack 2 core functionalities. A protocol being fully functional as intended, which is crucial to attract and keep customers/users with funds in the long term, can be considered a valuable asset itself. Although Medium severity is predestined for this category of findings which impede the function of a protocol, High severity seems justified given the impact.
The following might further clarify my reasoning:
Please also consider that not all findings that lead to lost or stolen funds will strictly yield a High severity finding, since it depends on the amount of funds at risk.
In contrast, not every impeded functionality will only yield Medium severity.
Further info for wardens: Duplicates that found only 1 of the 2 instances of the present issue are awarded with partial-50.
#7 - laurenceday
2023-11-14T17:26:29Z
Fair enough - not going to throw toys out of the pram over semantics. Appreciate the feedback!
#8 - c4-sponsor
2023-11-14T17:26:36Z
laurenceday (sponsor) confirmed