Closed c4-submissions closed 11 months ago
minhquanym marked the issue as low quality report
Seems intended
MarioPoneder marked the issue as unsatisfactory: Invalid
I think this intentional immutable feeRecipient needs to be paid attention to by sponsors. Otherwise, once the situation in the report occurs, it will cause a loss of protocol funds.
So please re-evaluate this issue. Thanks
Hi @MarioPoneder ,I see this as a valid issue. One of the primary use cases of protocol, as mentioned in the doc, is market makers as borrowers who wish to acquire a supply of a newly released token to facilitate trading, either via liquidity provision or operating in a central limit order book,
i.e., for newly released tokens this could be a more centralization risk. They would love to restrict feeRecipient
to be safe from fees for thousands of orders [ since the reputation of the token won't be an issue for them initially ]
However, this protocol has a more significant impact since, due to its Under-collateralized nature, it promotes new assets to raise funds, i.e., the more considerable income of protocol(fee collection) is near to centralized assets. , and for traditional tokens, it's already an issue. This affects the primary revenue source of protocol, as mentioned in #618
Thank you for your comments!
Please also see the sponsor's comment on #397:
If blacklisting happens for a token like USDC or USDT, there are far wider implications at play - they have to go through WAVES of legal to do this, and being able to change the feeRecipient doesn't change the facts on the ground. Regarding the recipients potential compromise, this will be a multisig wallet anyway (not that that particular fact matters) - it'd be possible to collect fees and immediately route them to another address via a multicall in any event.
There is a workaround already - deploy a new controller with a different feeRecipient address and forego fees accrued for a given market.
The fee recipient is fully in the hands of the protocol owner while they are fully aware of the risk.
Nevertheless, I agree with grade C QA instead of invalidating the issue.
MarioPoneder changed the severity to QA (Quality Assurance)
MarioPoneder marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketBase.sol#L33 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarket.sol#L107
Vulnerability details
Impact
When a WildcatMarket is deployed by borrower via
WildcatMarketController.deployMarket
, feeRecipient is obtained by WildcatMarketControllerFactory.getProtocolFeeConfiguration() and assigned to immutable feeRecipient in the constructor of WildcatMarketBase. The variable is defined asimmutable
and therefore cannot be updated. All fees accumulated by a Market belong tofeeRecipient
.We noticed that WildcatMarketControllerFactory.setProtocolFeeConfiguration can change the
feeRecipient
for subsequent deployment of WildcatMarket. However, all WildcatMarkets that have been created can only use the oldfeeRecipient
. If the following happens:feeRecipient
is lost by the protocol.feeRecipient
was stolen by a hacker.feeRecipient
is blacklisted.Then, the protocol needs to set a new feeRecipient via
setProtocolFeeConfiguration
. However, the new feeRecipient will not affect those already deployed WildcatMarkets, which results in loss of fees from the protocol.Proof of Concept
L77,
parameters
are set before creating WildcatMarket, andparameters.feeRecipient
is obtained throughWildcatMarketControllerFactory.getProtocolFeeConfiguration()
.L120,
feeRecipient
is set toparameters.feeRecipient
. It can't changed due toimmutable
.WildcatMarket will accumulate fees to the protocol over time, and anyone can call
collectFees()
to transfer asset tofeeRecipient
.If
feeRecipient
is no longer available for the protocol, the asset accumulated tofeeRecipient
will always be stuck in the contract. Imagine if there would be hundreds or thousands of WildcatMarkets using the samefeeRecipient
, then this would be a significant amount of funding for the protocol.By looking at the code of WildcatMarket and its parent class,
feeRecipient
is only used incollectFees()
. This can completely removefeeRecipient
and obtain the latestfeeRecipient
in this function. This will not bring any fee loss to the protocol.Tools Used
Manual Review
Recommended Mitigation Steps
Add
view
function for controller:then, modify the code of
collectFees
:Assessed type
Context