Closed c4-submissions closed 10 months ago
minhquanym marked the issue as duplicate of #162
minhquanym marked the issue as duplicate of #147
MarioPoneder marked the issue as partial-50
MarioPoneder changed the severity to 3 (High Risk)
Noting the upgrade to High Risk here: countering that all this means as is is that the current market token capacity cannot be changed after deployment: no funds are at risk. We've acknowledged this as a Med Risk elsewhere.
Lines of code
https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L134
Vulnerability details
Impact
As per docs, "Subsequent to launch, base APR and capacities can be adjusted by the borrower at will".
After creating a market, a borrower cannot increase the
maximum total supply
which contradicts the documentation.Proof of Concept
The WildcatMarketConfig.setMaxTotalSupply() only allows the
MarketController
to set the maximum total supply, however, no such function exist in theWildcatMarketController.sol
contract that can call thesetMaxTotalSupply()
function in the deployed market.So a borrower cannot change the max total supply of a market after deployment.
Tools Used
Manual review
Recommended Mitigation Steps
Add a function in
WildcatMarketController.sol
that allows the borrower to call WildcatMarketConfig.setMaxTotalSupply()Assessed type
Other