search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

`HooksFactory#deployMarket()` doesn't check whether the specified `hooksTemplate` is disabled #91

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/main/src/HooksFactory.sol#L491-L516

Vulnerability details

Impact

A borrower can deploy a market with previous deployed hook instance even its hook template has been disabled

Proof of Concept

The Archcontroller owner can add a hook template by calling HooksFactory#addHooksTemplate‎() The Archcontroller owner can also disable the hook template by calling HooksFactory#disableHooksTemplate‎() The Wildcat protocol specified that the Archcontroller owner can deregister hooks instances and factories to prevent the deployment of any further markets:

Archcontroller Operator Dictates which addresses are allowed to deploy markets and hooks instances (i.e. act as borrowers). Can deploy new market factories and hooks templates to extend protocol functionality, as well as adjusting fee parameters. Can blacklist ERC-20s to prevent future markets being created for them. Can remove borrowers from archcontroller (preventing them from future deployments), and can deregister hooks instances and factories to prevent the deployment of any further markets. Can effectively pause the entire protocol by updating the associated SphereX transaction monitoring engine to one that rejects all transactions. Cannot manipulate, update or intervene in extant markets beyond aforementioned SphereX pause power.

However, when HooksFactory#deployMarket() is called to deploy a new market, it doesn't check whether the specified hook template is disabled. A borrower can deploy a market with previous deployed hook instance even its hook template has been disabled.

Tools Used

Manual review

Recommended Mitigation Steps

Check whether the specified hook template is disabled or not when deploying a new market with an existing hook instance:

  function deployMarket(
    DeployMarketInputs calldata parameters,
    bytes calldata hooksData,
    bytes32 salt,
    address originationFeeAsset,
    uint256 originationFeeAmount
  ) external override nonReentrant returns (address market) {
    if (!IWildcatArchController(_archController).isRegisteredBorrower(msg.sender)) {
      revert NotApprovedBorrower();
    }
    address hooksInstance = parameters.hooks.hooksAddress();
    address hooksTemplate = getHooksTemplateForInstance[hooksInstance];
    if (hooksTemplate == address(0)) {
      revert HooksInstanceNotFound();
    }
    HooksTemplate memory templateDetails = _templateDetails[hooksTemplate];
+   if (!templateDetails.enabled) {
+     revert HooksTemplateNotAvailable();
+   }
    market = _deployMarket(
      parameters,
      hooksData,
      hooksTemplate,
      templateDetails,
      salt,
      originationFeeAsset,
      originationFeeAmount
    );
  }

Assessed type

Context

c4-judge commented 1 month ago

3docSec marked the issue as unsatisfactory: Invalid