search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

MAX_COLLATERAL_FACTOR not checked in WiseLending and PendlePowerFarm #208

Closed c4-bot-6 closed 5 months ago

c4-bot-6 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLendingDeclaration.sol#L319 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PoolManager.sol#L116-L119

Vulnerability details

Impact

In the codebase, a MAX_COLLATERAL_FACTOR is created for the WiseLending.sol :

    uint256 internal constant MAX_COLLATERAL_FACTOR = 85 * PRECISION_FACTOR_E16;

and the PendlePowerFarm.sol :

    // RESTRICTION VALUES

    uint256 internal constant MAX_COLLATERAL_FACTOR = 95 * PRECISION_FACTOR_E16;

However, this variables are not checked when modifying the collateralFactor itself, allowing the values to be set well over the max price. This max values are set to 85% and 95% respectively, however it is not enforced.

Proof of Concept

First instance of this is the PoolManager contract at https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PoolManager.sol#L116-L119. The new collateral factor is checked against 100e16, instead of 85e16, this is a large difference:

        _validateParameter(
            _collateralFactor,
            PRECISION_FACTOR_E18 //@audit should be MAX_COLLATERAL_FACTOR
        );

Another instance of this the constructor of PendlePowerFarmDeclarations, this also does an insufficient check. Although this can be categorized as protected functions, they directly break Max Collateral Factor which is a protocol invariant.

Tools Used

Manual Review

Recommended Mitigation Steps

Validate the new collateral factor against the individual maximum

        _validateParameter(
            _collateralFactor,
            MAX_COLLATERAL_FACTOR
        );

Assessed type

Invalid Validation

GalloDaSballo commented 6 months ago

Seems to be QA / Admin Privilege, should generally be made OOS by bots, maybe this one was missed

c4-pre-sort commented 6 months ago

GalloDaSballo marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as primary issue

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Out of scope

trust1995 commented 5 months ago

Admin privilege goes into analysis reports.

Josephdara commented 5 months ago

Hi @trust1995 , Thanks for Judging The issue stated here is the code not enforcing Limits already predefined with the code as rules. If limits did not exist, then it is exclusively an admin issue which would then be analysis, however maximum limitations set with the code is not implemented.

trust1995 commented 5 months ago

HI @Josephdara That is correct, but still for the issue to manifest there would need to be misconfiguration by the admin, so it cannot qualify for H/M.