Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 75/125
Findings: 1
Award: $9.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
9.8204 USDC - $9.82
https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/LendingLedger.sol#L131 https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/LendingLedger.sol#L204-L207
Internal balances of market and lender per epoch are updated when market calls sync_ledger() on deposit or withdrawal. However they won't be updated if market is removed from whitelist.
In case governance whitelists this market again, internal balances will not correspond to actual balances on market because data update was disallowed. As a result, data will corrupt if the market is re-added to the whitelist.
sync_ledger() doesn't perform internal updates when market is not whitelisted.
function sync_ledger(address _lender, int256 _delta) external { address lendingMarket = msg.sender; require(lendingMarketWhitelist[lendingMarket], "Market not whitelisted"); ... }
Deposits and withdrawal will still be processed on market, but here is not updated. And if governance returns back this market to whitelist, all accounting will be corrupted, balances in LendingLedger won't reflect actual balances on market.
Manual review
Explicitly disallow removing markets from whitelist
Other
#0 - c4-pre-sort
2023-08-11T14:15:17Z
141345 marked the issue as primary issue
#1 - 141345
2023-08-13T13:33:14Z
delist and list back might not be expected gov operation.
some of the dups only talk about delist part, not the list back. However the issue in common is about delist market, so combine.
dup https://github.com/code-423n4/2023-08-verwa-findings/issues/163 makes even low possibility assumption.
#2 - c4-sponsor
2023-08-16T13:33:36Z
OpenCoreCH marked the issue as sponsor disputed
#3 - OpenCoreCH
2023-08-16T13:40:11Z
If a market is removed from the whitelist, it is per definition no longer allowed to update balances from this point in time.
Readding a blacklisted market should usually not happen. The only thing I can imagine if a market was exploited, temporarily removed, the exploit was fixed (for an upgradeable contract), and the market is then readded again. In this case, there is a need for a restart procedure anyway, the market could for instance reset the balance of a user to 0 and send the correct one on the first operation.
#4 - c4-sponsor
2023-08-16T13:40:16Z
OpenCoreCH marked the issue as sponsor acknowledged
#5 - c4-judge
2023-08-24T21:42:31Z
alcueca changed the severity to QA (Quality Assurance)