Closed c4-bot-8 closed 5 months ago
GalloDaSballo marked the issue as insufficient quality report
Unclear risk + I think it should go in analysis
Out of scope I think as well, since was mentioned that Aave protocol risks (since it is upgradable proxy) should not be included.
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WrapperHub/AaveHub.sol#L122-L151 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarmController/PendlePowerFarmController.sol#L113-L170
Vulnerability details
Impact
If an integrated system, such as Aave or Pendle Power Farms, experiences a security breach or exploit, it could lead to the loss of funds stored in the Wise Lending protocol. Attackers may be able to drain liquidity, steal assets, or manipulate the external system's functionality to their advantage.
Proof of Concept
Integration with external systems such as the Aave protocol and Pendle Power Farms, introduces additional security risks and considerations.
AaveHub
contract interacts with the Aave protocol for lending and borrowing functionality. ThedepositExactAmount
function: AaveHub.sol#depositExactAmountThe
depositExactAmount
function transfers the underlying asset from the user to theAaveHub
contract and then calls the internal_wrapDepositExactAmount
function to interact with Aave for depositing the funds.The
PendlePowerFarmController
contract integrates with Pendle Power Farms for yield farming functionality. TheexchangeLpFeesForPendleWithIncentive
function: PendlePowerFarmController.sol#exchangeLpFeesForPendleWithIncentiveThe
exchangeLpFeesForPendleWithIncentive
function interacts with the Pendle Power Farms system to exchange LP fees for PENDLE tokens.The code does not include clear contingency plans or risk mitigation strategies to handle potential security incidents or failures in the integrated systems. There are no explicit mechanisms to pause or halt interactions with external systems in case of detected vulnerabilities or anomalies.
Tools Used
VsCode
Recommended Mitigation Steps
Implement secure integration mechanisms, such as using secure communication channels, authentication, and authorization protocols when interacting with external systems.
Assessed type
Other