search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

Invalid `hooks templates` could be used for market deployments in the `HooksFactory.deployMarket` function #71

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/main/src/HooksFactory.sol#L506-L515 https://github.com/code-423n4/2024-08-wildcat/blob/main/src/HooksFactory.sol#L530-L544

Vulnerability details

Vulnerability Details

The HooksFactory.deployMarketAndHooks function is used to deploy a hooks instance and a new market using the deployed hooks instance. In this function when the hooks instance is deployed the following check is performed on the HooksTemplate to check whether it exists.

    HooksTemplate memory templateDetails = _templateDetails[hooksTemplate]; //@audit-info - get the HooksTemplate struct
    if (!templateDetails.exists) {
      revert HooksTemplateNotFound(); 
    }
    hooksInstance = _deployHooksInstance(hooksTemplate, hooksTemplateArgs);

The above check ensures that the provided hooksTemplate is valid and does exist to be used in the market deployment.

The HooksFactory.deployMarket function is also used for the market deployment. But the issue is that the template details of the hooksTemplate used for the market deployment in this function is not checked for templateDetails.exists flag.

Impact

As a result of the above vulnerability, even when the templateDetails.exists == false the market deployment will proceed without any revert, thus enabling invalid hooks templates to be used for the market deployments. Hence this vulnerability breaks the intended behavior of the protocol.

Proof of Concept

    HooksTemplate memory templateDetails = _templateDetails[hooksTemplate];
    market = _deployMarket(
      parameters,
      hooksData,
      hooksTemplate,
      templateDetails,
      salt,
      originationFeeAsset,
      originationFeeAmount
    );

https://github.com/code-423n4/2024-08-wildcat/blob/main/src/HooksFactory.sol#L506-L515

    HooksTemplate memory templateDetails = _templateDetails[hooksTemplate];
    if (!templateDetails.exists) {
      revert HooksTemplateNotFound();
    }
    hooksInstance = _deployHooksInstance(hooksTemplate, hooksTemplateArgs);
    parameters.hooks = parameters.hooks.setHooksAddress(hooksInstance);
    market = _deployMarket(
      parameters,
      hooksData,
      hooksTemplate,
      templateDetails,
      salt,
      originationFeeAsset,
      originationFeeAmount
    );

https://github.com/code-423n4/2024-08-wildcat/blob/main/src/HooksFactory.sol#L530-L544

Recommended Mitigation Steps

Hence it is recommended to update the HooksFactory.deployMarket function to check for the !templateDetails.exists flag before the _deployMarket is called, and revert the transaction if the templateDetails.exists == false. This will ensure that invalid hooks templates are not used for the market deployments.

Assessed type

Other

c4-judge commented 1 month ago

3docSec marked the issue as unsatisfactory: Invalid