A controller can be removed after it was initially deployed in cases where it was created with wrong parameters. However, in the case that a borrower's controller is removed they would be unable to redeploy another controller constraining them to use the initial controller with incorrect parameters.
Proof of Concept
Due to the following check in the deployController a borrower is only ever able to deploy one controller from a WildcatMarketControllerFactory.sol contract:
if (controller.codehash != bytes32(0)) {
revert ControllerAlreadyDeployed();
}
Tools Used
Manual review
Recommended Mitigation Steps
One solution to the issue could be including a nonce variable when creating a WildcatMarketController.sol contract only if a previous controller has been removed.
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketControllerFactory.sol#L282-L301
Vulnerability details
Impact
A controller can be removed after it was initially deployed in cases where it was created with wrong parameters. However, in the case that a borrower's controller is removed they would be unable to redeploy another controller constraining them to use the initial controller with incorrect parameters.
Proof of Concept
Due to the following check in the
deployController
a borrower is only ever able to deploy one controller from aWildcatMarketControllerFactory.sol
contract:Tools Used
Manual review
Recommended Mitigation Steps
One solution to the issue could be including a
nonce
variable when creating aWildcatMarketController.sol
contract only if a previous controller has been removed.Assessed type
Other