Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Borrower can reduce the maxTotalSupply below the current totalSupply() #14

Open
c4-bot-10 opened this issue Sep 18, 2024 · 3 comments
Open

Borrower can reduce the maxTotalSupply below the current totalSupply() #14

c4-bot-10 opened this issue Sep 18, 2024 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_primary AI based primary recommendation 🤖_32_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/market/WildcatMarketConfig.sol#L101-L111

Vulnerability details

Vulnerability Details

According to the documentation; the borrower should not be able to set the maxTotalSupply below the outstanding supply of market tokens

"As a borrower, you are able to adjust the capacity up to whatever amount you wish, or down to the market's current outstanding supply of market tokens"

This is in order to maintain stability in the market though it is not enforced in setMaxTotalSupply() so borrowers are free to set it to what they want as shown in the test below.

POC

Add the test function below to WildcatMarket.t.sol and run:

Reduce capacity 
  function test_POC_4() external asAccount(borrower) {

    // scaleFactor is 1 so normalized amount also 100_000
    _deposit(alice, 100_000);
    assertEq(market.totalSupply(), 100_000);

    uint256 currentMaxTotalSupply = market.maxTotalSupply();
    assertEq(currentMaxTotalSupply, 20282409603651670423947251286015);

    market.setMaxTotalSupply(100);
    assertEq(market.maxTotalSupply(), 100);

  }

Tools Used

Manual Review
Foundry Testing

Recommendations

Add a check in setMaxTotalSupply to ensure the new value is not less than totalSupply():

function setMaxTotalSupply(
  uint256 _maxTotalSupply
) external onlyBorrower nonReentrant sphereXGuardExternal {

  MarketState memory state = _getUpdatedState();
  
  // Revert if the market is closed
  if (state.isClosed) revert_CapacityChangeOnClosedMarket();

+ if (_maxTotalSupply < state.totalSupply()) revert_NewCapLessThanCurrentSupply();

  // Call the hook for max total supply update
  hooks.onSetMaxTotalSupply(_maxTotalSupply, state);
  
  // Update the state's max total supply
  state.maxTotalSupply = _maxTotalSupply.toUint128();

  // Persist the state change
  _writeState(state);

  // Emit an event indicating the total supply cap has been updated
  emit_MaxTotalSupplyUpdated(_maxTotalSupply);
}

Assessed type

Invalid Validation
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 18, 2024
c4-bot-2 added a commit that referenced this issue Sep 18, 2024
@c4-bot-2
falconhoof issue #14
89cd3b8
@c4-bot-11 c4-bot-11 added 🤖_32_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Sep 18, 2024
@howlbot-integration howlbot-integration bot added primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Sep 20, 2024
@d1ll0n
Copy link

d1ll0n commented Oct 2, 2024

This is a documentation / QA issue not a medium - maxTotalSupply is only the cap at which deposits stop being accepted, so reducing it below the current supply only prevents further deposits. In fact, there are cases where you would specifically want it to be less, such as if a borrower wants to set a much lower cap for deposits so that if lenders withdraw below the new limit, deposits are only allowed back up to it.

ex:

  • supply = 100
  • borrower only wants to keep ~60, sets maxTotalSupply = 60
  • lenders withdraw 50
  • deposits capped at another 10

This prevents scenarios where the borrower needs to keep pushing it downward

@d1ll0n d1ll0n added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 2, 2024
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 4, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2024

3docSec changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2024

3docSec marked the issue as grade-b

@C4-Staff C4-Staff added grade-a and removed grade-b labels Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_primary AI based primary recommendation 🤖_32_group AI based duplicate group recommendation sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@d1ll0n @c4-judge @C4-Staff @c4-bot-10 @c4-bot-11