Back to WatchPug's contests

bunker.finance contest - WatchPug's results

The easiest way to borrow against your NFTs.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $50,000 USDC

Total HM: 4

Participants: 46

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 117

League: ETH

bunker.finance

Findings Distribution

Researcher Performance

Rank: 34/46

Findings: 1

Award: $98.13

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings Repositorybunker.finance

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, David_, Funen, GimelSec, IllIllI, Picodes, TerrierLover, WatchPug, bobi, cryptphi, csanuragjain, delfin454000, dirk_y, ellahi, fatherOfBlocks, hyh, ilan, jayjonah8, kebabsec, leastwood, oyc_109, robee, samruna, simon135, sorrynotsorry, throttle

Awards

98.1322 USDC - $98.13

Labels

bug
disagree with severity
QA (Quality Assurance)
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L1337-L1359

Vulnerability details

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L1337-L1359

function _initializeNftCollateral(CNftInterface cNft, NftPriceOracle _nftOracle, uint256 _collateralFactorMantissa) external returns (uint) {
    require(address(nftMarket) == address(0), "nft collateral already initialized");
    require(address(cNft) != address(0), "cannot initialize nft market to the 0 address");

    if (msg.sender != admin) {
        return fail(Error.UNAUTHORIZED, FailureInfo.SUPPORT_MARKET_OWNER_CHECK);
    }

    if (markets[address(cNft)].isListed) {
        return fail(Error.MARKET_ALREADY_LISTED, FailureInfo.SUPPORT_MARKET_EXISTS);
    }

    cNft.isCNft(); // Sanity check to make sure its really a cNFT.

    nftMarket = cNft;
    nftOracle = _nftOracle;

    // Note that isComped is not in active use anymore
    markets[address(cNft)] = Market({isListed: true, isComped: false, collateralFactorMantissa: _collateralFactorMantissa});

    // We do not support borrowing NFTs.
    borrowGuardianPaused[address(cNft)] = false;
}

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L80-L81

// No collateralFactorMantissa may exceed this value
uint internal constant collateralFactorMaxMantissa = 0.9e18; // 0.9

There is a collateralFactorMaxMantissa which limits the collateral factor to be always lower than 0.9.

Per the comment:

No collateralFactorMantissa may exceed this value

However, in _initializeNftCollateral(), the _collateralFactorMantissa is set without any check, which means it can be set to a value > 0.9 or even > 1.

As a result, the borrowers may deliberately choose not to repay as their collateral may not be worth the debt in the first place. This can accumulate bad debt in the whole system.

Recommendation

Change to:

// Check collateral factor <= 0.9
Exp memory highLimit = Exp({mantissa: collateralFactorMaxMantissa});
if (lessThanExp(highLimit, _collateralFactorMantissa)) {
    return fail(Error.INVALID_COLLATERAL_FACTOR, FailureInfo.SET_COLLATERAL_FACTOR_VALIDATION);
}

markets[address(cNft)] = Market({isListed: true, isComped: false, collateralFactorMantissa: _collateralFactorMantissa});

#0 - bunkerfinance-dev

2022-05-18T06:24:10Z

Don't think this is high severity because it requires the admin to make a mistake in setting collateral factor, but bug acknowledged.

#1 - gzeoneth

2022-05-29T12:55:09Z

Downgrading to Low / QA as this require admin misconfiguration.

#2 - gzeoneth

2022-05-29T13:30:45Z

Treating as warden's QA report.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter