The Wildcat Protocol - cu5t0mpeo's results

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketConfig.sol#L128-L144

Vulnerability details

Impact

No one can modify TotalSupply, which will result in the borrower being unable to modify TotalSupply.

Proof of Concept

Since this function needs to be called by the controller, but the controller does not implement the function of calling this function, this function cannot be called.

    /**
     * @dev Sets the maximum total supply - this only limits deposits and
     *      does not affect interest accrual.
     *
     *      Can not be set lower than current total supply.
     */
    function setMaxTotalSupply(
        uint256 _maxTotalSupply
    ) external onlyController nonReentrant { // @audit high - this function don‘t call
        MarketState memory state = _getUpdatedState();

        if (_maxTotalSupply < state.totalSupply()) {
            revert NewMaxSupplyTooLow();
        }

        state.maxTotalSupply = _maxTotalSupply.toUint128();
        _writeState(state);
        emit MaxTotalSupplyUpdated(_maxTotalSupply);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Just add relevant functions in the controller

Assessed type

Error

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L182-L190

Vulnerability details

Impact

In addition to block,strangers can set their approve to WithdrawOnly

Proof of Concept

Except for those whose approve is block, this function will set the permission of the parameter lender to WithdrawOnly.

  /**
   * @dev Update lender authorization for a set of markets to the current
   *      status.
   */
  function updateLenderAuthorization(address lender, address[] memory markets) external {
    for (uint256 i; i < markets.length; i++) {
      address market = markets[i];
      if (!_controlledMarkets.contains(market)) {
        revert NotControlledMarket();
      }
      WildcatMarket(market).updateAccountAuthorization(lender, _authorizedLenders.contains(lender));
    }
  }

updateAccountAuthorization

  /**
   * @dev Updates an account's authorization status based on whether the controller
   *      has it marked as approved.
   */
  function updateAccountAuthorization(
    address _account,
    bool _isAuthorized
  ) external onlyController nonReentrant {
    MarketState memory state = _getUpdatedState();
    Account memory account = _getAccount(_account);
    if (_isAuthorized) {
      account.approval = AuthRole.DepositAndWithdraw;
    } else {
      account.approval = AuthRole.WithdrawOnly;
    }
    _accounts[_account] = account;
    _writeState(state);
    emit AuthorizationStatusUpdated(_account, account.approval);
  }

poc:

// SPDX-License-Identifier: NONE
pragma solidity >=0.8.20;

import './BaseMarketTest.sol';
import 'src/interfaces/IMarketEventsAndErrors.sol';
import 'src/libraries/MathUtils.sol';
import 'src/libraries/SafeCastLib.sol';
import 'src/libraries/MarketState.sol';
import 'solady/utils/SafeTransferLib.sol';
import 'forge-std/console.sol';

contract MyTest is BaseMarketTest, IWildcatMarketControllerEventsAndErrors {

  function test_updateLenderAuthorization() public {
    address borrower = address(1);
    address account = address(2);
    address[] memory markets = new address[](1);
    markets[0] = address(market);
    vm.prank(account);
    controller.updateLenderAuthorization(account, markets);
    if (market.getAccountRole(account) == AuthRole.WithdrawOnly) {
        console.log("success");
    }
  }
}

result:

Running 1 test for test/MyTest.t.sol:MyTest
[PASS] test_updateLenderAuthorization() (gas: 72967)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 7.83ms

Tools Used

Manual Review

Recommended Mitigation Steps

It is recommended to check whether the updateLenderAuthorization function is called by borrower

Assessed type

Access Control

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L64-L82 https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L36-L57

Vulnerability details

Impact

Users can bypass Escrow to claim target tokens, making WildcatSanctionsEscrow useless.

Proof of Concept

When the market token performs transfer or transferFrom, it will not determine whether the caller is in the block state.

  function transfer(address to, uint256 amount) external virtual nonReentrant returns (bool) {
    _transfer(msg.sender, to, amount);
    return true;
  }

  function transferFrom(
    address from,
    address to,
    uint256 amount
  ) external virtual nonReentrant returns (bool) {
    uint256 allowed = allowance[from][msg.sender];

    // Saves gas for unlimited approvals.
    if (allowed != type(uint256).max) {
      uint256 newAllowance = allowed - amount;
      _approve(from, msg.sender, newAllowance);
    }

    _transfer(from, to, amount);

    return true;
  }
    ...
    
      function _transfer(address from, address to, uint256 amount) internal virtual {
    MarketState memory state = _getUpdatedState();
    uint104 scaledAmount = state.scaleAmount(amount).toUint104();

    if (scaledAmount == 0) {
      revert NullTransferAmount();
    }

    Account memory fromAccount = _getAccount(from);
    fromAccount.scaledBalance -= scaledAmount;
    _accounts[from] = fromAccount;

    Account memory toAccount = _getAccount(to);
    toAccount.scaledBalance += scaledAmount;
    _accounts[to] = toAccount;

    _writeState(state);
    emit Transfer(from, to, amount);
  }
    

A sanctioned lender can transfer market tokens to other users, and then change its approve to WithdrawOnly to finally receive the target token through the lax permission check of updateLenderAuthorization

Tools Used

Manual Review

Recommended Mitigation Steps

When market tokens are transferred, determine whether msg.sender has the authority to transfer tokens.

Assessed type

Token-Transfer

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L468-L488

Vulnerability details

Impact

Make annualInterestBips change to a value outside the range, causing some unnecessary errors

Proof of Concept

setAnnualInterestBips does not do a check from minimumAnnualInterestBips to maximumAnnualInterestBips

  /**
   * @dev Modify the interest rate for a market.
   * If the new interest rate is lower than the current interest rate,
   * the reserve ratio is set to 90% for the next two weeks.
   */
  function setAnnualInterestBips(
    address market,
    uint16 annualInterestBips
  ) external virtual onlyBorrower onlyControlledMarket(market) {
    // If borrower is reducing the interest rate, increase the reserve
    // ratio for the next two weeks.
    if (annualInterestBips < WildcatMarket(market).annualInterestBips()) {
      TemporaryReserveRatio storage tmp = temporaryExcessReserveRatio[market];

      if (tmp.expiry == 0) {
        tmp.reserveRatioBips = uint128(WildcatMarket(market).reserveRatioBips());

        // Require 90% liquidity coverage for the next 2 weeks
        WildcatMarket(market).setReserveRatioBips(9000);
      }

      tmp.expiry = uint128(block.timestamp + 2 weeks);
    }

    WildcatMarket(market).setAnnualInterestBips(annualInterestBips);
  }

poc(The MaximumAnnualInterestBips of the file TestConstants.sol needs to be set to 9000. The test sample is completed in WildcatMarketController.t.sol):

  function test_setAnnualInterestBips_range() public {
    MarketParameterConstraints memory constraints = controller.getParameterConstraints();
    vm.prank(borrower);

    console.log("before:%d\n",constraints.maximumAnnualInterestBips + 1);
    controller.setAnnualInterestBips(address(market), constraints.maximumAnnualInterestBips + 1);
    console.log("after:%d\n",market.annualInterestBips());

    assertEq(market.annualInterestBips(), constraints.maximumAnnualInterestBips + 1, 'APR');

  }

Tools Used

Manual Review

Recommended Mitigation Steps

  /**
   * @dev Modify the interest rate for a market.
   * If the new interest rate is lower than the current interest rate,
   * the reserve ratio is set to 90% for the next two weeks.
   */
  function setAnnualInterestBips(
    address market,
    uint16 annualInterestBips
  ) external virtual onlyBorrower onlyControlledMarket(market) {
    if (annualInterestBips < MinimumAnnualInterestBips || annualInterestBips > MaximumAnnualInterestBips) {
    	revert OutFlowRange();
    }
    // If borrower is reducing the interest rate, increase the reserve
    // ratio for the next two weeks.
    if (annualInterestBips < WildcatMarket(market).annualInterestBips()) {
      TemporaryReserveRatio storage tmp = temporaryExcessReserveRatio[market];

      if (tmp.expiry == 0) {
        tmp.reserveRatioBips = uint128(WildcatMarket(market).reserveRatioBips());

        // Require 90% liquidity coverage for the next 2 weeks
        WildcatMarket(market).setReserveRatioBips(9000);
      }

      tmp.expiry = uint128(block.timestamp + 2 weeks);
    }

    WildcatMarket(market).setAnnualInterestBips(annualInterestBips);
  }

Assessed type

Other