Closed c4-bot-6 closed 5 months ago
Seems to be QA / Admin Privilege, should generally be made OOS by bots, maybe this one was missed
GalloDaSballo marked the issue as insufficient quality report
GalloDaSballo marked the issue as primary issue
trust1995 marked the issue as unsatisfactory: Out of scope
Admin privilege goes into analysis reports.
Hi @trust1995 , Thanks for Judging The issue stated here is the code not enforcing Limits already predefined with the code as rules. If limits did not exist, then it is exclusively an admin issue which would then be analysis, however maximum limitations set with the code is not implemented.
HI @Josephdara That is correct, but still for the issue to manifest there would need to be misconfiguration by the admin, so it cannot qualify for H/M.
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLendingDeclaration.sol#L319 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PoolManager.sol#L116-L119
Vulnerability details
Impact
In the codebase, a
MAX_COLLATERAL_FACTOR
is created for the WiseLending.sol :and the PendlePowerFarm.sol :
However, this variables are not checked when modifying the
collateralFactor
itself, allowing the values to be set well over the max price. This max values are set to 85% and 95% respectively, however it is not enforced.Proof of Concept
First instance of this is the
PoolManager
contract at https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PoolManager.sol#L116-L119. The new collateral factor is checked against 100e16, instead of 85e16, this is a large difference:Another instance of this the constructor of
PendlePowerFarmDeclarations
, this also does an insufficient check. Although this can be categorized as protected functions, they directly break Max Collateral Factor which is a protocol invariant.Tools Used
Manual Review
Recommended Mitigation Steps
Validate the new collateral factor against the individual maximum
Assessed type
Invalid Validation