search

code-423n4 / 2023-10-wildcat-findings

14 stars 10 forks source link

Borrower cannot change the maximum supply #694

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L128-L144 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/libraries/MarketState.sol#L59-L61 https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarket.sol#L53

Vulnerability details

Impact

Maximum supply cannot be increased and by extension the max deposit limit too.

Proof of Concept

WildcatMarketConfig@setMaxTotalSupply is only callable by the WildcatMarketController but is not used anywhere there.

WildcatMarketConfig.sol
  function setMaxTotalSupply(uint256 _maxTotalSupply) external onlyController nonReentrant {
    // ...
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Add the missing logic to allow the borrower to set the maximum total supply in the WildcatMarketController or change the modifier from onlyController to onlyBorrower for WildcatMarketConfig@setMaxTotalSupply.

Assessed type

Other

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #162

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #147

c4-judge commented 1 year ago

MarioPoneder marked the issue as partial-50

c4-judge commented 1 year ago

MarioPoneder changed the severity to 2 (Med Risk)

c4-judge commented 1 year ago

MarioPoneder changed the severity to 3 (High Risk)