search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

lender that's mistakenly flagged can lose access to funds #125

Open howlbot-integration[bot] opened 1 month ago

howlbot-integration[bot] commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/market/WildcatMarketConfig.sol#L82

Vulnerability details

Impact

The lender can lose access to their funds throughout the withdrawal cycle and will also miss out on any interest accrual during that period.

Description

When lenders are mistakenly flagged by Chainalysis, the borrower can use the overrideSanction function to override the sanction status:

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/WildcatSanctionsSentinel.sol#L96C3-L99C4

   * @dev Overrides the sanction status of `account` for `borrower`.
   */
  function overrideSanction(address account) public override {
    sanctionOverrides[msg.sender][account] = true;
    emit SanctionOverride(msg.sender, account);
  }

However, an issue arises if a lender is mistakenly flagged by Chainalysis. A malicious actor can exploit this by calling the nukeFromOrbit function on the lender to transfer their assets to escrow before the borrower has a chance to call overrideSanction.

This is possible because nukeFromOrbit is an external function and can be called by anyone as long as the lender is flagged as sanctioned:However, an issue arises if a lender is mistakenly flagged by Chainalysis. A malicious actor can exploit this by calling the nukeFromOrbit function on the lender to transfer their assets to escrow before the borrower has a chance to call overrideSanction.

This is possible because nukeFromOrbit is an external function and can be called by anyone as long as the lender is flagged as sanctioned:

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/market/WildcatMarketConfig.sol#L82C1-L88C4

  function nukeFromOrbit(address accountAddress) external nonReentrant sphereXGuardExternal {
    if (!_isSanctioned(accountAddress)) revert_BadLaunchCode();
    MarketState memory state = _getUpdatedState();
    hooks.onNukeFromOrbit(accountAddress, state);
    _blockAccount(state, accountAddress);
    _writeState(state);
  }

As a result, the lender would lose access to their funds

Tools Used

Manual review

Recommended Mitigation Steps

The issue can be mitigated by restricting the function so that only the borrower can call it. This can be done by applying the onlyBorrower modifier, ensuring that no unauthorized parties can call the function

Assessed type

Access Control

3docSec commented 1 month ago

See https://github.com/code-423n4/2024-08-wildcat-validation/issues/295#issuecomment-2411228152

c4-judge commented 1 month ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 1 month ago

3docSec marked the issue as grade-b