In case if wLP will be blacklisted then user will not be able to withdraw it

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L275

Vulnerability details

Proof of Concept

When users deposit wLP tokens as collateral, then they are checked to be whitelisted.

Later, it's possible that for some reason wLP token will be backlisted by governor. And once it's done, then users, who already used that wLP tokens as collateral will not be able to withdraw them.

Also same thing exists for the liquidateWLp function, which means that in case if position, that is collateralized with wLP that is blacklisted, will become unhealthy, then liquidators will not be able to liquidate it.

Sponsor said that blacklisting flow will be as following.

• Decrease collateral factor for blacklisted wLp until it becomes 0
• then blacklist wLp

Considering this fact i realize that for liquidation this will not be an issue as wLp will have 0 collateralization power when it will be blacklisted. However it's still possible that some user will not decollateralize their wLp tokens yet for some reasom and thus they will not be able to withdraw them later.

Impact

User can't withdraw previously deposited wLP tokens after they were blacklisted.

Tools Used

VsCode

Recommended Mitigation Steps

Even if wLP token is backlisted now, you still should allow user to withdraw them. After all you have health check function that will guarantee that position has enough collateral.

Assessed type

Error

[c4-judge]

hansfriese marked the issue as primary issue

[c4-sponsor]

fez-init (sponsor) acknowledged

[fez-init]

We will use unwhitelisting with care.

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese marked the issue as selected for report