Open howlbot-integration[bot] opened 2 months ago
The listed functions which incur higher fees all require the current state of the market to accurately calculate relevant values to the transfer. Because of that, the transfer can't happen until after the state is updated, and it would be expensive (and too large to fit in the contract size) to redo the withdrawal payments post-transfer.
For the repay functions this is more of an issue than the others, as that represents the borrower specifically taking action to repay their debts, whereas the other functions are actions by other parties (and thus we aren't very concerned if they fail to cure the borrower's delinquency for them). We may end up just removing these secondary repay functions.
3docSec marked the issue as satisfactory
Among the group of dupes, this one will be reported as it elaborates on all four functions.
3docSec marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-08-wildcat/blob/main/src/market/WildcatMarket.sol#L226
Vulnerability details
Impact
Inconsistency across multiple functions can cause borrower to pay extra fees
Proof of Concept
Within functions such as
repay
andrepayAndProcessUnpaidWithdrawalBatches
, funds are first pulled from the user in order to use them towards the currently expired, but not yet unpaid batch, and then the updated state is fetched.However, this is not true for functions such as
closeMarket
,deposit
,repayOutstandingDebt
andrepayDelinquentDebt
, where the state is first fetched and only then funds are pulled, forcing borrower into higher fees.This inconsistency will cause borrowers to pay extra fees which they otherwise wouldn't.
PoC:
and the logs:
Tools Used
Manual review
Recommended Mitigation Steps
Always pull the funds first and refund later if needed.
Assessed type
Context