Back to SHA_256's contests

The Wildcat Protocol - SHA_256's results

Banking, but worse - a protocol for fixed-rate, undercollateralised credit facilities.

General Information

Platform: Code4rena

Start Date: 16/10/2023

Pot Size: $60,500 USDC

Total HM: 16

Participants: 131

Period: 10 days

Judge: 0xTheC0der

Total Solo HM: 3

Id: 296

League: ETH

Wildcat Protocol

Findings Distribution

Researcher Performance

Rank: 93/131

Findings: 1

Award: $10.17

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryWildcat Protocol

Findings Information

🌟 Selected for report: J4X

Also found by: 0x3b, 0xCiphky, 0xComfyCat, 0xStalin, 0xbepresent, 3docSec, DavidGiladi, DeFiHackLabs, Drynooo, Fulum, GREY-HAWK-REACH, InAllHonesty, MatricksDeCoder, Mike_Bello90, MiloTruck, Phantom, SHA_256, T1MOH, Udsen, VAD37, YusSecurity, ZdravkoHr, ast3ros, caventa, deepkin, deth, devival, ggg_ttt_hhh, inzinko, jasonxiale, josieg_74497, karanctf, ke1caM, nisedo, nobody2018, nonseodion, osmanozdemir1, radev_sw, rvierdiiev, serial-coder, t0x1c

Awards

10.1663 USDC - $10.17

Labels

bug
grade-b
QA (Quality Assurance)
Q-35

External Links

Link to GitHub issue

[L-01] The ERC20 approve() function doesn't check for if spender address is zero.

The checking of zero address is a common security practice to prevent certain actions that could be malicious or unintentional. Typically, you want to avoid allowing transfers, approvals, or other token-related operations to this zero address to protect the integrity of the token.

Use a check for spender in approve function require(spender != address(0)); line of code : https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L59-L61

[L-02] approver should identify as msg.sender

This line of code 'https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L60' doesn't follow the ERC20 token standard. As approver is the owner so it is recommended to identify approver as msg.sender .

[L-03] Inconsistencies in data types

Inconsistencies in data types can introduce vulnerabilities. In the contract WildcatMarketWithdrawals.sol a data type used uint32 as expiry but in WildcatMarketController.sol the expiry data type used is uint128. It could lead to incorrect comparisons or calculations when these contracts interact. Using consistent data types makes the code more readable and understandable for both developers and auditors. It's easier to identify the purpose of a variable when the naming and data type conventions are consistent throughout the codebase.

lines : https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketWithdrawals.sol#L29, https://github.com/c4ode-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L15

[L-04] Initialize missing of state variable in WildcatSanctionsSentinel.sol

It's essential to ensure that the tmpEscrowParams variable is properly initialized before use. In the constructor, _resetTmpEscrowParams() is called to initialize it, but it should also be initialized explicitly at the declaration point. https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatSanctionsSentinel.sol#L18 https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatSanctionsSentinel.sol#L24-L28

#0 - c4-judge

2023-11-09T16:04:27Z

MarioPoneder marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter