search

code-423n4 / 2023-10-wildcat-findings

14 stars 10 forks source link

Rebase (underlying ERC20) tokens would break the property of supply and lead to a loss of funds #606

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarket.sol#L86

Vulnerability details

Impact

According to the docs, the lender that deposits 133.7 XYZ tokens into a market will receive 133.7 market tokens - with the market token name depending on what was selected by the borrower when the market was launched.

However, the above architecture does not handle the case when XYZ is a rebasing (or elastic) token whose supply is algorithmically adjusted. The issue might lead to a permanent loss of funds as tokens would stay locked in the contract.

The issue also breaks the following property: The supply of the market token and assets owed by the borrower should always match.

Proof of Concept

Wildcat-Gitbook#deposits WildcatMarket.sol#L86

Tools Used

Manual Review

Recommended Mitigation Steps

  1. You can explicitly state in the documentation that you do not support rebasing mechanism.
  2. Alternatively, when rebasing tokens go down in value, you should have a method to update the market tokens' balances accordingly. And when they go up in value, you should add a method to actually transfer the excess tokens out of the protocol. This is a complex solution.

Assessed type

ERC20

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #503

c4-judge commented 1 year ago

MarioPoneder changed the severity to 2 (Med Risk)

c4-judge commented 1 year ago

MarioPoneder marked the issue as satisfactory