search

code-423n4 / 2024-08-wildcat-findings

3 stars 1 forks source link

Sanctioned user can modify state of the market #92

Open howlbot-integration[bot] opened 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/market/WildcatMarket.sol#L202

Vulnerability details

Impact

A sanctioned user may call repay() which will modify the market state. This violates the invariant specified by the team:

Accounts which are flagged as sanctioned on Chainalysis should never be able to successfully modify the state of the market unless the borrower specifically overrides their sanctioned status in the sentinel (other than token approvals, or through their tokens being withdrawn & escrowed in nukeFromOrbit and executeWithdrawal).

Proof of Concept

Add the following test to WildcatMarket.t.sol:

function test_repaySanctionedUser() external {
    _depositBorrowWithdraw(alice, 1e18, 8e17, 1e18);
    sanctionsSentinel.sanction(alice);
    vm.startPrank(alice);
    asset.approve(address(market), 2e17);
    vm.expectEmit(address(market));
    emit DebtRepaid(address(alice), 2e17);
    market.repay(2e17);
}

Tools Used

Manual review

Recommended Mitigation Steps

Include a check to prevent sanctioned users from calling repay().

Assessed type

Invalid Validation

c4-judge commented 1 month ago

3docSec changed the severity to QA (Quality Assurance)

c4-judge commented 1 month ago

3docSec marked the issue as grade-b