Protocol fees can be bypassed through penalty rates

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/libraries/FeeMath.sol#L45

Vulnerability details

Impact

As mentioned in the previous audit by aleph_v, protocol fees can be bypassed while still paying the same rate to the lenders. The issue was neither resolved nor acknowledged.

Proof of Concept

The overall interest paid by the borrower is the interest times the protocol fee plus any delinquency fees. By setting the delinquency fee percent to the intended interest and then setting the protocol interest percent to zero (or close to zero) the borrower can construct a vault which pays the lenders the same amount of interest via delinquency fees as it would pay via interest. The borrower can increase the liquidity requirements to force payment of persistent delinquency fees. In this case the lenders have no incentive to withdraw as they get the same rate and borrowers pay a net lower fee as no protocol fee is collected. aleph_v, FeeMath.sol#L45

Tools Used

Manual Review

Recommended Mitigation Steps

Charge protocol fees on the extra interest which is paid by delinquent loans.

Assessed type

Other

[c4-pre-sort]

minhquanym marked the issue as sufficient quality report

[laurenceday]

Not a finding, and also quoting something specifically out of scope from a previous review.

[c4-sponsor]

laurenceday (sponsor) disputed

[c4-judge]

MarioPoneder changed the severity to QA (Quality Assurance)

[MarioPoneder]

QA:

1. Don't see incentive for lender to lose the feature of "real" delinquency. However, it is till possible.
2. Although, a previous audit report was listed in the README, I cannot see where it was specifically declared out of scope.

[c4-judge]

MarioPoneder marked the issue as grade-b