Closed c4-submissions closed 10 months ago
minhquanym marked the issue as primary issue
minhquanym marked the issue as sufficient quality report
d1ll0n (sponsor) confirmed
MarioPoneder marked the issue as satisfactory
MarioPoneder marked the issue as selected for report
MarioPoneder marked issue #500 as primary and marked this issue as a duplicate of 500
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarket.sol#L106-L107
Vulnerability details
Impact
Asset balance is overestimated by amount of
withdrawableFees
in delinquency check in_writeState()
while collecting protocol fees.Suppose current market state: 1) assetBalance = 1000 2) accruedProtocolFees = 200 3) requiredReserves = 600 4) unclaimedWithdrawals = 300
Obviously after repaying protocolFee market should be marked delinquent because
900 > 800 is true
However it will perform check900 > 1000 is false
, leaving market non-delinquentProof of Concept
Here it firstly updates
state.accruedProtocolFees
, than writes state, than transfers asset. Note that asset transfer is after_writeState
._writeState()
checks whether market is delinquent:Let's have a look on what values are checked. Asset balance is checked against liabilities. Note that
state.accruedProtocolFees
was previously reduced bywithdrawableFees
totalAssets()
is current balance of asset:Issue is that above check occurs before asset transfer. In fact asset balance is higher by the amount of
withdrawableFees
than actual balance during delinquency checkThat's how asset is overestimated and can not mark market delinquent.
Tools Used
Manual Review
Recommended Mitigation Steps
Check it after transfer
And change it in
borrow()
for future, despite now there is no issueAssessed type
Error