search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

`maxTotalSupply` can be set to any value, even below the current total supply of the market #90

Open howlbot-integration[bot] opened 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/main/src/market/WildcatMarketConfig.sol#L101-L111

Vulnerability details

Impact

maxTotalSupply can be set to a value below the current total supply of the market

Proof of Concept

The Wildcat protocol stated that the maxTotalSupply can not be set to below the total supply of the market in README.md:

capacity can only be reduced to a maximum of the current outstanding supply.

It is also stated in https://docs.wildcat.finance/using-wildcat/day-to-day-usage/borrowers#altering-capacity:

As a borrower, you are able to adjust the capacity up to whatever amount you wish, or down to the market's current outstanding supply of market tokens

However, a borrower can set the maximum total supply to any value even below the total supply of the market. Copy below codes to WildcatMarket.t.sol and run forge test --match-test test_setMaxTotalSupply_LessThanTotalSupply:

  function test_setMaxTotalSupply_LessThanTotalSupply() external {
    //@audit-info alice deposits 50K
    vm.prank(alice);
    market.depositUpTo(50_000e18);
    vm.prank(borrower);
    market.setMaxTotalSupply(20_000e18);
    //@audit-info maxTotalSupply() is less than totalSupply()
    assertLt(market.maxTotalSupply(), market.totalSupply());
  }

Tools Used

Manual review

Recommended Mitigation Steps

Make sure the new maxTotalSupply is no less than the total supply of the market:

  function setMaxTotalSupply(
    uint256 _maxTotalSupply
  ) external onlyBorrower nonReentrant sphereXGuardExternal {
    MarketState memory state = _getUpdatedState();
    if (state.isClosed) revert_CapacityChangeOnClosedMarket();
+   if (_maxTotalSupply < state.totalSupply()) revert CapacityLessThanTotalSupply();

    hooks.onSetMaxTotalSupply(_maxTotalSupply, state);
    state.maxTotalSupply = _maxTotalSupply.toUint128();
    _writeState(state);
    emit_MaxTotalSupplyUpdated(_maxTotalSupply);
  }

Assessed type

Other

c4-judge commented 1 month ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 1 month ago

3docSec marked the issue as grade-b