search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

Missing check to avoid zero transfer revert #691

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L346

Vulnerability details

Impact

Cannot deploy market with originationFeeAmount == 0 for ERC20 asset which reverts on zero amount transfers.

Proof of concept

In deployMarket() the following is executed:

if (originationFeeAsset != address(0)) {
    originationFeeAsset.safeTransferFrom(borrower, parameters.feeRecipient, originationFeeAmount);
}

If originationFeeAmount == 0 then safeTransferFrom() reverts](https://github.com/Vectorized/solady/blob/6cce088e69d6e46671f2f622318102bd5db77a65/src/utils/SafeTransferLib.sol#L174) if originationFeeAsset is an ERC20 which reverts on zero amount transfers.

Recommended mitigation

if (originationFeeAsset != address(0) && originationFeeAmount > 0)

Assessed type

ERC20

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #74

c4-judge commented 10 months ago

MarioPoneder marked the issue as unsatisfactory: Out of scope