search

code-423n4 / 2023-12-initcapital-findings

3 stars 3 forks source link

Delisted wLp still could be used for collateralization by changing position mode #32

Closed c4-bot-8 closed 10 months ago

c4-bot-8 commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L169

Vulnerability details

Protocol governor address has the power to whitelist and delist wLp addresses using the Config#setWhitelistedWLps function. Only whitelisted wLp tokens are allowed to collateralize and de-collateralize users' positions:

File: InitCore.sol
244:     function collateralizeWLp(uint _posId, address _wLp, uint _tokenId)
245:         public
246:         virtual
247:         onlyAuthorized(_posId)
248:         nonReentrant
249:     {
...
254:         // check if the wLp is whitelisted
255:         _require(_config.whitelistedWLps(_wLp), Errors.TOKEN_NOT_WHITELISTED);
...
263:     /// @inheritdoc IInitCore
264:     function decollateralizeWLp(uint _posId, address _wLp, uint _tokenId, uint _amt, address _to)
265:         public
266:         virtual
267:         onlyAuthorized(_posId)
268:         ensurePositionHealth(_posId)
269:         nonReentrant
270:     {
...
274:         // check wLp is whitelisted
275:         _require(_config.whitelistedWLps(_wLp), Errors.TOKEN_NOT_WHITELISTED);

At the same time, the InitCore#setPosMode function lacks a similar check, effectively allowing users to migrate their delisted wLp tokens as collateral to the new mode.

Impact

Users could change mode for their positions that are collateralized with delisted wLps.

Proof of Concept

Consider the next scenario:

  1. Alice creates a position and collateralizes it with whitelisted wLp.
  2. Governor delist Alice's wLp. All positions with this wLp tokens are considered isolated.
  3. Alice can't decollateralize their position or collateralize new positions with delisted wLp tokens. However, due to a lack of whitelist check in the setPosMode function, Alice changed the mode of their previously created position.

Recommended Mitigation Steps

Consider adding a check that wLps from the current mode are still whitelisted.

Assessed type

Invalid Validation

c4-judge commented 10 months ago

hansfriese marked the issue as duplicate of #22

c4-judge commented 10 months ago

hansfriese marked the issue as satisfactory