setPosMode function doesn't check if wLp is whitelisted

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L191-L195

Vulnerability details

Proof of Concept

Using setPosMode function owner of position can change it's mode. When the function is called, then there are a lot of checks, like if current mode allows to decollateralize and if new mode allows to collateralize.

Also it's checked, that all position collateral is used by the new mode. It's done for the pools and for the wLp tokens.

In order to be able to use wLp tokens as collateral, then wLp should be whitelisted. It is checked in several places in the code, like here. It's also possible that after some time wLp token will be blacklisted. In this case it should not be allowed to migrate blacklisted wLp token to the new mode, however there is no such check in the setPosMode function.

As result user can provide blacklisted collateral to the new mode. I understand that borrowing factor for such collateral will be likely about 0, however if you would try to collateralize such token, then it will be denied, thus setMode function breaks this invariant.

Impact

Non whitelisted collateral can be moved to the new mode.

Tools Used

VsCode

Recommended Mitigation Steps

Do not allow user to move blacklisted collateral to the new mode.

Assessed type

Error

[sashik-eth]

Dup of #32

[c4-judge]

hansfriese marked the issue as primary issue

[c4-sponsor]

fez-init (sponsor) confirmed

[fez-init]

Will add whitelist check

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese marked the issue as selected for report