Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimum deposit requirement can be bypassed #13

Open
c4-bot-2 opened this issue Sep 18, 2024 · 3 comments
Open

Minimum deposit requirement can be bypassed #13

c4-bot-2 opened this issue Sep 18, 2024 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_primary AI based primary recommendation 🤖_55_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-2
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/access/AccessControlHooks.sol#L850-L880
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/access/AccessControlHooks.sol#L812-L825
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/access/AccessControlHooks.sol#L769-L804

Vulnerability details

Impact

Users can bypass the minimum deposit requirement to create small positions
Small positions may be used as an attack path

Vulnerability Details

The minimum deposit for market is not enforced in the withdrawal process or the transfer process so lender can bypass the requirement.

Say the minimum deposit is 100_000; a user can:

  • Deposit 100_000 to pass the check
  • Withdraw as much as they want, as soon as the withdraw duration will allow them, to leave themselves below the minimum deposit level
    or
  • Transfer as much as they want to another user to leave themselves below the minimum deposit level

Both hooks templates enforce the minimum deposit (if set) in the onDeposit hook as:

  function onDeposit(
    address lender,
    uint scaledAmount,
    MarketState calldata state,
    bytes calldata hooksData
  ) external override {

    // SOME CODE

    // Check that the deposit amount is at or above the market's minimum
    uint normalizedAmount = scaledAmount.rayMul(state.scaleFactor);
>>> if (market.minimumDeposit > normalizedAmount) {
      revert DepositBelowMinimum();
    }

    // SOME CODE
  }

However there is no check when a user executes a transfer of Scaled Tokens or withdraws from the protocol to go below the minimum deposit level.

See onTransfer()

See onQueueWithdrawal()

The market prefers not to allow small positions because they may be too small to be worth the gas cost of conducting operations on.
Furthermore, an attacker can add a large amount of small positions in order to exploit the block gas limit in a function which is gas heavy using operations like looping, such as closeMarket() sich that they may be able to cause a DOS.

POC

Add the test function below to WildcatMarket.t.sol and run:

User bypasses minimum deposit 
  function test_POC_3() external {
    parameters.minimumDeposit = 100_000;
    parameters.withdrawalBatchDuration = 0;
    setUpContracts(false);
    startPrank(alice);
    asset.mint(alice, 1e18);
    asset.approve(address(market), 1e18);
    vm.expectRevert(AccessControlHooks.DepositBelowMinimum.selector);
    market.deposit(50_000);

    market.deposit(100_000);
    uint32 expiry = market.queueWithdrawal(50_000);

    fastForward(parameters.withdrawalBatchDuration + 1);
    market.executeWithdrawal(alice, expiry);

  }

Tools Used

Manual Review
Foundry Testing

Recommendations

Enforce minimum deposit with a check in the onTransfer & onQueueWithdrawal hooks in both hooks templates so that user cannot go below it

Assessed type

Invalid Validation
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 18, 2024
c4-bot-2 added a commit that referenced this issue Sep 18, 2024
@c4-bot-2
falconhoof issue #13
17222bd
@c4-bot-13 c4-bot-13 added 🤖_55_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Sep 18, 2024
@laurenceday
Copy link

If this recommendation was taken at face value and implemented, then once a lender deposited assets they'd never be able to get anything out again (because any balance below the minimum deposit would be verboten).

We're not interested in implementing this, and don't consider it a valid finding. Minimum deposit amounts are a QOL improvement for borrowers such as market makers who don't want lenders to park 1,000 USDC into a market when they need to find five multisig signers to execute the transaction to borrow it.

More pragmatically, if the minimum deposit limit is 100,000 USDC and someone wants to subsequently withdraw 99,000 of that straight away, their funds are still going to be locked up for the duration of a withdrawal cycle (in which case no one can access it for the interim). As a matter of common sense, lenders just aren't going to do that (not least because they're probably going to have their KYC held by the borrower in some capacity so could catch blowback). If someone does this anyway, the borrower is well within their rights (and has the ability) to just revoke their deposit credential.

The proposed closeMarket attack path is neither realistic or effective - a borrower could simply call repayAndProcessUnpaidWithdrawalBatches with a sufficiently small maxBatches parameter enough times to clear the backlog and then terminate as expected.

@howlbot-integration howlbot-integration bot added primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Sep 20, 2024
@laurenceday laurenceday mentioned this issue Sep 23, 2024
Open
@3docSec
Copy link

3docSec commented Oct 4, 2024

The impact here is quite unclear, apart from the gas griefing vector that is mitigated as per sponsor's comment

@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2024

3docSec changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_primary AI based primary recommendation 🤖_55_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@laurenceday @c4-judge @C4-Staff @c4-bot-2 @3docSec @c4-bot-13