search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

Deploying a market with a non-ERC20 asset can cause incorrect interaction with asset #696

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L292-L360

Vulnerability details

Impact

The market contract may expect certain ERC20 functions to be present and behave in a specific way. If the asset contract does not adhere to the ERC20 standard, the market may behave unexpectedly, resulting in incorrect token balances, pricing, or other critical parameters.

Example using a safeTransferFrom function to transfer assets, If the asset is not an ERC20 token, this call will fail, potentially resulting in a loss of funds or locking of funds in the contract. Users interacting with the market could also lose funds if they attempt to deposit or withdraw the invalid asset.

Tools Used

Vscode

Recommended Mitigation Steps

Implement a validation function that checks if the asset contract adheres to the ERC20 standard. This function should verify that the asset contract has the necessary functions and that they behave as expected.

function isValidAsset(address asset) internal view returns (bool) {
    try IERC20(asset).decimals() returns (uint8) {
        // Further checks can be added here as necessary
        return true;
    } catch {
        return false;
    }
}

Assessed type

ERC20

c4-pre-sort commented 10 months ago

minhquanym marked the issue as low quality report

minhquanym commented 10 months ago

OOS in README

c4-judge commented 10 months ago

MarioPoneder marked the issue as unsatisfactory: Out of scope