The Wildcat Protocol - elprofesor's results

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L36-L39

Vulnerability details

Impact

Wildcat protocol provides lending with lender backed collateral (considered as reserves and the ratio must be upheld by the borrower). WildcatMarketTokens are provided to lenders in return for their base assets, these tokens are ERC20 meaning tokens can be transferred to and from different users. The protocol team has taken certain steps to prevent interaction with sanctioned users which will send funds to an escrow contract to be held until their sanction status is revoked of a borrower accepts strict liability by overriding their sanction status.

Wildcat does not check sanctions on transfer which can lead lenders who are sanctioned to avoid having their funds locked in the designated escrow contract.

Proof of Concept

Consider the following scenario;

1. Assume a wildcat market exists with a lender approved. This lender has deposited an amount of funds and later was sanctioned by Chain Analysis Sentinel
2. If the lender realises they are sanctioned, they can transfer the ERC20 tokens to another account and complete withdrawal process from a non-sanctioned account.

It is worth noting that there are restrictions on this, namely there is a delay between queueing withdrawal and executing withdrawals. This does provide chain-analysis time to update the list which means the bypass is not guaranteed.

Tools Used

Manual Review

Recommended Mitigation Steps

Lenders should have sanction status checked when transferring MarketTokens

Assessed type

ERC20

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L477-L481

Vulnerability details

Impact

Wildcat protocol provides borrowers the ability to adjust annual interest BIPs after market deployment. In order to protect lenders the protocol increases the reserve ratio of ratio of the market to 90% for two weeks. The increased reserve ratio allows borrowers to exit if they chose for up to 2 weeks before the reserve ratio is reset back to baseline. This calculation assumes initial reserve ratio starts lower than 90%. If the initial reserve ratio is set higher, the borrower can instantly lower the reserve ratio to 90% by lowering the annual interest BIPs.

This allows the borrower the ability to withdraw up to an additional 10% of the market total supply which previously a lender would have considered part of the reserve ratio (something which under normal conditions can't be lowered below the initial baseline level).

Proof of Concept

Consider the following scenario;

1. A borrower deploys a market, sets the reserve ratio to 98%, a seemingly extremely safe market where the lenders have a greater chance than others at being repaid. The lenders accept this market under those conditions.
2. Once the borrower has maxed out the expected totalSupply of marketTokens they can then call WildcatMarketController.setAnnualInterestBips() where the annual interest rate value is lower than expected. This will instantly give them access to an additional 8% of user funds.

Further notes: it is important to note that setting reserve ratios of 98% is allowed by the system currently and it is important to consider that the market lenders and borrowers though agreeing to a system perhaps not run as intended by Wildcat, can only agree to how they believe the system to behave. Without strictly inspecting the code a lender would have no idea that despite having a reserve ratio of 98%, the borrower has access to 10%, not 2% of lender funds.

I have set the rating for this as medium due to the setup requirements of this attack. Though it could be argued that 8% of user funds could attribute to a significant portion. The file is both in scope and no notes have been included in the audit about any out of scope aspects of invariant testing.

Tools Used

Manual Review

Recommended Mitigation Steps

Lenders should have sanction status checked when transferring.

Assessed type

Rug-Pull