Platform: Code4rena
Start Date: 16/10/2023
Pot Size: $60,500 USDC
Total HM: 16
Participants: 131
Period: 10 days
Judge: 0xTheC0der
Total Solo HM: 3
Id: 296
League: ETH
Rank: 125/131
Findings: 1
Award: $0.06
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xpiken
Also found by: 0xCiphky, 0xComfyCat, 0xStalin, 0xhegel, 0xkazim, 3docSec, AM, Aymen0909, CaeraDenoir, DeFiHackLabs, Drynooo, Eigenvectors, Fulum, HALITUS, HChang26, Jiamin, Juntao, LokiThe5th, Mike_Bello90, MiloTruck, QiuhaoLi, Silvermist, SovaSlava, SpicyMeatball, T1MOH, Toshii, TrungOre, TuringConsulting, Vagner, Yanchuan, ZdravkoHr, _nd_koo, almurhasan, audityourcontracts, ayden, cartlex_, circlelooper, crunch, cu5t0mpeo, deth, erictee, ggg_ttt_hhh, gizzy, gumgumzum, hash, jasonxiale, josephdara, ke1caM, kodyvim, lanrebayode77, marqymarq10, max10afternoon, nirlin, nonseodion, osmanozdemir1, peter, radev_sw, rvierdiiev, said, serial-coder, sl1, smiling_heretic, squeaky_cactus, stackachu, tallo, trachev, zaevlad
0.0606 USDC - $0.06
https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L134
As per docs, "Subsequent to launch, base APR and capacities can be adjusted by the borrower at will".
After creating a market, a borrower cannot increase the maximum total supply which contradicts the documentation.
The WildcatMarketConfig.setMaxTotalSupply() only allows the MarketController to set the maximum total supply, however, no such function exist in the WildcatMarketController.sol contract that can call the setMaxTotalSupply() function in the deployed market.
So a borrower cannot change the max total supply of a market after deployment.
// WildcatMarketConfig.sol function setMaxTotalSupply(uint256 _maxTotalSupply) external onlyController nonReentrant { ... ... }
Manual review
Add a function in WildcatMarketController.sol that allows the borrower to call WildcatMarketConfig.setMaxTotalSupply()
Other
#0 - c4-pre-sort
2023-10-27T06:21:25Z
minhquanym marked the issue as duplicate of #162
#1 - c4-pre-sort
2023-10-27T06:58:28Z
minhquanym marked the issue as duplicate of #147
#2 - c4-judge
2023-11-07T13:54:49Z
MarioPoneder marked the issue as partial-50
#3 - c4-judge
2023-11-07T14:16:53Z
MarioPoneder changed the severity to 3 (High Risk)
#4 - laurenceday
2023-11-08T17:08:52Z
Noting the upgrade to High Risk here: countering that all this means as is is that the current market token capacity cannot be changed after deployment: no funds are at risk. We've acknowledged this as a Med Risk elsewhere.