Back to KeyKiril's contests

The Wildcat Protocol - KeyKiril's results

Banking, but worse - a protocol for fixed-rate, undercollateralised credit facilities.

General Information

Platform: Code4rena

Start Date: 16/10/2023

Pot Size: $60,500 USDC

Total HM: 16

Participants: 131

Period: 10 days

Judge: 0xTheC0der

Total Solo HM: 3

Id: 296

League: ETH

Wildcat Protocol

Findings Distribution

Researcher Performance

Rank: 102/131

Findings: 1

Award: $6.67

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryWildcat Protocol

Findings Information

🌟 Selected for report: YusSecurity

Also found by: 0xAsen, 0xCiphky, 0xDING99YA, 0xKbl, 0xSwahili, 0xbepresent, 3docSec, AS, Aymen0909, DeFiHackLabs, GREY-HAWK-REACH, KeyKiril, MiloTruck, QiuhaoLi, Silvermist, SovaSlava, TrungOre, VAD37, Vagner, Yanchuan, ZdravkoHr, ast3ros, cartlex_, d3e4, deth, ggg_ttt_hhh, gizzy, kodyvim, nirlin, nobody2018, rvierdiiev, serial-coder, sl1, tallo, xeros

Awards

6.6715 USDC - $6.67

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketWithdrawals.sol#L164-L170

Vulnerability details

Impact

The accountAddress, (address of the lender) is set instead of "borrowerAddress" when creating Escrow. Therefore a Lender is called instead of the borrower.

Proof of Concept

In the following code, the sentinel is creating a Escrow but the parameters set are wrong.

  if (IWildcatSanctionsSentinel(sentinel).isSanctioned(borrower, accountAddress)) {
      _blockAccount(state, accountAddress);
      address escrow = IWildcatSanctionsSentinel(sentinel).createEscrow(
        accountAddress,
        borrower,
        address(asset)
      );

The parameters are set as follows: accountAddress, borrower, address(asset).

But, in the function that we are calling "createEscrow" in the "WildcatSanctionsSentinel.sol" the parameters are set in a different order: address borrower, address account, address asset.

function createEscrow(
    address borrower,
    address account,
    address asset
  ) public override returns (address escrowContract) {
    if (!IWildcatArchController(archController).isRegisteredMarket(msg.sender)) {
      revert NotRegisteredMarket();
    }

Therefore, setting the Lender as a Borrower might lead to several issues. For example, the lender might be blocked but still eligible to call "releaseEscrow" and etc.

Tools Used

VS Code Manual Review

Change the order of the parameters in the "executeWithdrawal" function as follows in the "createEscrow" function: address borrower, address account, address asset.

Assessed type

Error

#0 - c4-pre-sort

2023-10-27T02:31:28Z

minhquanym marked the issue as duplicate of #515

#1 - c4-judge

2023-11-07T11:46:36Z

MarioPoneder changed the severity to 3 (High Risk)

#2 - c4-judge

2023-11-07T11:56:58Z

MarioPoneder marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter