Closed c4-submissions closed 10 months ago
minhquanym marked the issue as primary issue
minhquanym marked the issue as sufficient quality report
Good find! Thank you :pray:
d1ll0n (sponsor) confirmed
MarioPoneder marked the issue as satisfactory
MarioPoneder changed the severity to 3 (High Risk)
MarioPoneder marked issue #506 as primary and marked this issue as a duplicate of 506
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarket.sol#L142 https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/libraries/MarketState.sol#L138 https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/libraries/FeeMath.sol#L89
Vulnerability details
The borrower does not pay all debts when he closes the market
Lines of code
Impact
When borrower closes the market using the WildMarket::closeMarket(), he must pay all debts:
The totalDebts() function calculates how much the borrower needs to pay back to the market. The problem is that the function does not count all the incurring debt when the borrower was in delinquent process. The penalty is increased when the user is
delinquent
code line 97-111 and the penalty is being decreased when the time elapsed code line 115.The borrower will not pay all the debt incurred while he was in delinquent mode when borrower closes the market.
Proof of Concept
Please consider the next scenario taking in consideration the example from the documentation:
Example:
Now adapting the example above to the next scenario:
Tools used
Manual review
Recommended Mitigation Steps
When borrower closes the market, consider to calculate all the debt when the borrower was in delinquency.
Assessed type
Math