code-423n4 / 2023-10-wildcat-findings

14 stars 10 forks source link

Malicious initial reserve ratio can be used to rug lenders collateral #674

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L477-L481

Vulnerability details

Impact

Wildcat protocol provides borrowers the ability to adjust annual interest BIPs after market deployment. In order to protect lenders the protocol increases the reserve ratio of ratio of the market to 90% for two weeks. The increased reserve ratio allows borrowers to exit if they chose for up to 2 weeks before the reserve ratio is reset back to baseline. This calculation assumes initial reserve ratio starts lower than 90%. If the initial reserve ratio is set higher, the borrower can instantly lower the reserve ratio to 90% by lowering the annual interest BIPs.

This allows the borrower the ability to withdraw up to an additional 10% of the market total supply which previously a lender would have considered part of the reserve ratio (something which under normal conditions can't be lowered below the initial baseline level).

Proof of Concept

Consider the following scenario;

  1. A borrower deploys a market, sets the reserve ratio to 98%, a seemingly extremely safe market where the lenders have a greater chance than others at being repaid. The lenders accept this market under those conditions.
  2. Once the borrower has maxed out the expected totalSupply of marketTokens they can then call WildcatMarketController.setAnnualInterestBips() where the annual interest rate value is lower than expected. This will instantly give them access to an additional 8% of user funds.

Further notes: it is important to note that setting reserve ratios of 98% is allowed by the system currently and it is important to consider that the market lenders and borrowers though agreeing to a system perhaps not run as intended by Wildcat, can only agree to how they believe the system to behave. Without strictly inspecting the code a lender would have no idea that despite having a reserve ratio of 98%, the borrower has access to 10%, not 2% of lender funds.

I have set the rating for this as medium due to the setup requirements of this attack. Though it could be argued that 8% of user funds could attribute to a significant portion. The file is both in scope and no notes have been included in the audit about any out of scope aspects of invariant testing.

Tools Used

Manual Review

Recommended Mitigation Steps

Lenders should have sanction status checked when transferring.

Assessed type

Rug-Pull

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #75

c4-judge commented 1 year ago

MarioPoneder marked the issue as satisfactory