search

code-423n4 / 2023-10-wildcat-findings

14 stars 10 forks source link

Sanction Bypass Through Depositing to Authorized Borrower's Market #669

Closed c4-submissions closed 12 months ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarket.sol#L86-L91

Vulnerability details

Impact

Wildcat protocol provides lending with lender backed collateral (considered as reserves and the ratio must be upheld by the borrower). The protocol team has taken certain steps to prevent interaction with sanctioned users. However, sanction status is only verified on withdrawal meaning sanction bypasses can occur.

The protocol focuses on validating if approved lenders are sanctioned at some point after market creation and correctly proceed to lock their funds. However by doing this;

  1. They ignore accounts that have already been sanctioned. This imposes strictl liability issues on the borrower, as they are actively interacting with accounts that are deemed as 'sanctioned' by chain analysis sentinel.

  2. A sanctioned lender account address could use a willing/authorised borrower address as a proxy to bypass sanction limitations. Meaning a sanctioned user could send money to an approved market

Proof of Concept

Consider the following scenario;

  1. WildcatArchController.registerBorrower(): Borrower is approved at the ArchController level
  2. WildcatMarketControllerFactory.deployController(): Borrower calls this function to deploy a controller, alternatively, they can call deployControllerAndMarket() to initialise the market in one step.
  3. WildcatMarketController.deployMarket(): Borrower or Controller calls this to create a market. Enforcement of parameters used is done to check bounds of market parameters.
  4. WildcatMarketController.authorizeLender(): Borrower authorises lender. No check here is performed to see if the lender is sanctioned, meaning sanctioned lenders can be added to the system. Assume lender who is added is sanctioned.
  5. WildcatMarketController.updateAccountAuthorization(): Borrower then pushes these authorizations to the MarketConfig's account list
  6. WildcatMarket.deposit(): authorised lender, then deposits an amount to the market. In return the lenders account.scaledBalance is pushed up indicating he now holds market tokens.

From here the borrower is able to use these funds as he pleases and the fees of lending will increment the account balancdeds of the sanctioned lender.

The following caveats should be considered;

  1. Lenders sanction status can be overridden by a borrower, this is current accepted behaviour. But in this case the borrower is actively accepting the strict liability risks with dealing with this lender. In the above example there is no acceptance of this strict liability and the scenario presented the lender could be added on a sanction list before or after being approved by the borrower until any time before depositing.

  2. Borrowers may be incentivised to act as laundering proxies both actively by dealing with , or inadvertently through accepting lenders who may own significant share of reservers and

Tools Used

Manual Review

Recommended Mitigation Steps

Lenders should have sanction status checked upon depositing

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #326

c4-judge commented 12 months ago

MarioPoneder marked the issue as not a duplicate

c4-judge commented 12 months ago

MarioPoneder marked the issue as unsatisfactory: Overinflated severity