Wise Lending - Mrxstrange's results

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/TransferHub/CallOptionalReturn.sol#L19-L33 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L796

Vulnerability details

Discriptipon

• withdraw privately deposited ERC20 funds is used throughout the code via _safeTransfer() function in WiseLending.sol L-781 . According to Solidity Docs the call may return true even if it was a failure. This may result in user funds lost because funds were transferred into this contract in preparation for the withdrawal. The withdraw fails but doesn’t revert. There is a way this can happen through WiseLending.sol due to a missing require that is present in the other facets which is a separate issue but gives this issue more relevance.

Proof of Concept

1. Alice withdraw ERC20 funds
2. Alice’s are sent to the WiseLending.sol contract
3. The call on solelyWithdraw() -> _safeTransfer() -> _callOptionalReturn(_token,abi.encodeWithSelector(IERC20.transfer.selector,_to,_value));; fails but returns success due to nonexisting contract
4. Alice receives nothing in return

There are 3 instances of this issue:

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L738

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L889


https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L926

Recommended Mitigation Steps

• Check for contract existence.

A similar issue was awarded a medium here.

https://github.com/code-423n4/2022-01-trader-joe-findings/issues/170

Assessed type

Access Control