The market contract may expect certain ERC20 functions to be present and behave in a specific way. If the asset contract does not adhere to the ERC20 standard, the market may behave unexpectedly, resulting in incorrect token balances, pricing, or other critical parameters.
Example using a safeTransferFrom function to transfer assets, If the asset is not an ERC20 token, this call will fail, potentially resulting in a loss of funds or locking of funds in the contract.
Users interacting with the market could also lose funds if they attempt to deposit or withdraw the invalid asset.
Tools Used
Vscode
Recommended Mitigation Steps
Implement a validation function that checks if the asset contract adheres to the ERC20 standard. This function should verify that the asset contract has the necessary functions and that they behave as expected.
function isValidAsset(address asset) internal view returns (bool) {
try IERC20(asset).decimals() returns (uint8) {
// Further checks can be added here as necessary
return true;
} catch {
return false;
}
}
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatMarketController.sol#L292-L360
Vulnerability details
Impact
The market contract may expect certain ERC20 functions to be present and behave in a specific way. If the asset contract does not adhere to the ERC20 standard, the market may behave unexpectedly, resulting in incorrect token balances, pricing, or other critical parameters.
Example using a
safeTransferFrom
function to transfer assets, If the asset is not an ERC20 token, this call will fail, potentially resulting in a loss of funds or locking of funds in the contract. Users interacting with the market could also lose funds if they attempt to deposit or withdraw the invalid asset.Tools Used
Vscode
Recommended Mitigation Steps
Implement a validation function that checks if the asset contract adheres to the ERC20 standard. This function should verify that the asset contract has the necessary functions and that they behave as expected.
Assessed type
ERC20