search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

Borrower cannot change market capacity (max total supply) after creating a market #727

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L134

Vulnerability details

Impact

As per docs, "Subsequent to launch, base APR and capacities can be adjusted by the borrower at will".

After creating a market, a borrower cannot increase the maximum total supply which contradicts the documentation.

Proof of Concept

The WildcatMarketConfig.setMaxTotalSupply() only allows the MarketController to set the maximum total supply, however, no such function exist in the WildcatMarketController.sol contract that can call the setMaxTotalSupply() function in the deployed market.

So a borrower cannot change the max total supply of a market after deployment.

 // WildcatMarketConfig.sol
  function setMaxTotalSupply(uint256 _maxTotalSupply) external onlyController nonReentrant {
    ...
    ...
  }

Tools Used

Manual review

Recommended Mitigation Steps

Add a function in WildcatMarketController.sol that allows the borrower to call WildcatMarketConfig.setMaxTotalSupply()

Assessed type

Other

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #162

c4-pre-sort commented 10 months ago

minhquanym marked the issue as duplicate of #147

c4-judge commented 10 months ago

MarioPoneder marked the issue as partial-50

c4-judge commented 10 months ago

MarioPoneder changed the severity to 3 (High Risk)

laurenceday commented 10 months ago

Noting the upgrade to High Risk here: countering that all this means as is is that the current market token capacity cannot be changed after deployment: no funds are at risk. We've acknowledged this as a Med Risk elsewhere.