Platform: Code4rena
Start Date: 16/10/2023
Pot Size: $60,500 USDC
Total HM: 16
Participants: 131
Period: 10 days
Judge: 0xTheC0der
Total Solo HM: 3
Id: 296
League: ETH
Rank: 37/131
Findings: 2
Award: $182.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MiloTruck
Also found by: 0xStalin, DarkTower, GREY-HAWK-REACH, InAllHonesty, J4X, YusSecurity, devival
172.0937 USDC - $172.09
According to the docs, the lender that deposits 133.7 XYZ tokens into a market will receive 133.7 market tokens - with the market token name depending on what was selected by the borrower when the market was launched.
However, the above architecture does not handle the case when XYZ is a rebasing (or elastic) token whose supply is algorithmically adjusted. The issue might lead to a permanent loss of funds as tokens would stay locked in the contract.
The issue also breaks the following property: The supply of the market token and assets owed by the borrower should always match.
Wildcat-Gitbook#deposits WildcatMarket.sol#L86
Manual Review
ERC20
#0 - c4-pre-sort
2023-10-27T09:59:19Z
minhquanym marked the issue as duplicate of #503
#1 - c4-judge
2023-11-07T22:50:42Z
MarioPoneder changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-11-07T22:54:51Z
MarioPoneder marked the issue as satisfactory
🌟 Selected for report: J4X
Also found by: 0x3b, 0xCiphky, 0xComfyCat, 0xStalin, 0xbepresent, 3docSec, DavidGiladi, DeFiHackLabs, Drynooo, Fulum, GREY-HAWK-REACH, InAllHonesty, MatricksDeCoder, Mike_Bello90, MiloTruck, Phantom, SHA_256, T1MOH, Udsen, VAD37, YusSecurity, ZdravkoHr, ast3ros, caventa, deepkin, deth, devival, ggg_ttt_hhh, inzinko, jasonxiale, josieg_74497, karanctf, ke1caM, nisedo, nobody2018, nonseodion, osmanozdemir1, radev_sw, rvierdiiev, serial-coder, t0x1c
10.1663 USDC - $10.17
As mentioned in the previous audit by aleph_v, protocol fees can be bypassed while still paying the same rate to the lenders. The issue was neither resolved nor acknowledged.
The overall interest paid by the borrower is the interest times the protocol fee plus any delinquency fees. By setting the delinquency fee percent to the intended interest and then setting the protocol interest percent to zero (or close to zero) the borrower can construct a vault which pays the lenders the same amount of interest via delinquency fees as it would pay via interest. The borrower can increase the liquidity requirements to force payment of persistent delinquency fees. In this case the lenders have no incentive to withdraw as they get the same rate and borrowers pay a net lower fee as no protocol fee is collected. aleph_v, FeeMath.sol#L45
Manual Review
Charge protocol fees on the extra interest which is paid by delinquent loans.
Other
#0 - c4-pre-sort
2023-10-28T17:11:34Z
minhquanym marked the issue as sufficient quality report
#1 - laurenceday
2023-10-31T23:47:15Z
Not a finding, and also quoting something specifically out of scope from a previous review.
#2 - c4-sponsor
2023-10-31T23:47:21Z
laurenceday (sponsor) disputed
#3 - c4-judge
2023-11-07T16:02:28Z
MarioPoneder changed the severity to QA (Quality Assurance)
#4 - MarioPoneder
2023-11-07T16:09:06Z
QA:
README, I cannot see where it was specifically declared out of scope.#5 - c4-judge
2023-11-09T14:52:51Z
MarioPoneder marked the issue as grade-b