3docSec
commented
1 month ago Seems to correspond to the statement in README Creating markets for rebasing tokens breaks the underlying interest rate model.
Closed howlbot-integration[bot] closed 2 months ago
3docSec
commented
1 month ago Seems to correspond to the statement in README Creating markets for rebasing tokens breaks the underlying interest rate model.
c4-judge
commented
1 month ago 3docSec marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/README.md#L262
Vulnerability details
Proof of Concept
First, per the readMe, we should assume rebasing tokens are in scope, see https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/README.md#L262
Where as this integration is welcome as the WIldMarketTokens themselves are somewhat rebasing in nature, this then means that users could pay lesser APR, which is because if they (rebasing tokens) are used as underlying assets for markets, when the borrower/market contracts hold these tokens while they are lent, the newly accrued tokens may either be credited to the borrower, or inside the market itself, which in our case would count as the borrower adding liquidity. And result in the borrower needing to pay a lower Annual Percentage Rate (APR) than initially set.
This also means that a tech savvy user can even do this in a morer sophisticated way, assume the rebasing stETH is used as the asset, the stETH token normally rebases at 12pm, so the malicious user can just frontrun the rebase if it'd massively affect their APR, alternatively they can even front/back run the rebase if the new APR would be lower.
Impact
Users would pay lesser APR for some to-be supported borrowable assets.
Recommended Mitigation Steps
Since disallowing rebasing assets is not an option, either track the balance change for these assets or heavily document this behaviour to users.
Assessed type
Context