search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

Borrower cannot change the maximum supply #694

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L128-L144 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/libraries/MarketState.sol#L59-L61 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarket.sol#L53

Vulnerability details

Impact

Maximum supply cannot be increased and by extension the max deposit limit too.

Proof of Concept

WildcatMarketConfig@setMaxTotalSupply is only callable by the WildcatMarketController but is not used anywhere there.

WildcatMarketConfig.sol
  function setMaxTotalSupply(uint256 _maxTotalSupply) external onlyController nonReentrant {
    // ...
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Add the missing logic to allow the borrower to set the maximum total supply in the WildcatMarketController or change the modifier from onlyController to onlyBorrower for WildcatMarketConfig@setMaxTotalSupply.

Assessed type

Other

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #162

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #147

c4-judge commented 10 months ago

MarioPoneder marked the issue as partial-50

c4-judge commented 10 months ago

MarioPoneder changed the severity to 2 (Med Risk)

c4-judge commented 10 months ago

MarioPoneder changed the severity to 3 (High Risk)