Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2021-07-WILDCREDIT-FINDINGS-ISSUES-86
HistoryJul 14, 2021 - 12:00 a.m.

Incompatibility With Rebasing/Deflationary/Inflationary tokens

2021-07-1400:00:00
Code4rena
github.com
3
permissionless listing
erc20 assets
protocol balances
JSON

Handle

0xRajeev

Vulnerability details

Impact

WildCredit allows the permissionless listing of any ERC20 assets/pairs to be used in the protocol. Some of these tokens could charge a fee, add a reward or rebase over time. However, the protocol does not have the required support to handle such tokens. The necessary checks include at least verifying the amount of tokens transferred to/from contracts before and after the actual transfer to infer any fees/interest/reward/rebasing. These seem to be absent in the various functions.

Impact: Listing of rebasing/deflationary/inflationary tokens accidentally/maliciously will lead to miscalculations of protocol balances.

Severity Rationale: The severity of this is typically Low if there is functionality for an owner-based vetting/whitelisting of assets but given that there is none in this protocol, the severity is marked as Medium.

Proof of Concept

See finding <https://consensys.net/diligence/audits/2020/12/growth-defi-v1/#evaluate-all-tokens-prior-to-inclusion-in-the-system&gt;

See finding <https://consensys.net/diligence/audits/2021/03/umbra-smart-contracts/#document-token-behavior-restrictions&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L80&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L95&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L103&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L119&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L128&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L144&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L153&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L176&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L285-L286&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L468-L474&gt;

<https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/TransferHelper.sol#L19-L23&gt;

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add necessary checks including at least verifying the amount of tokens transferred to/from contracts before and after the actual transfer to infer any fees/interest/reward/rebasing. Alternatively whitelist/blacklist allowed/disallowed assets.

The text was updated successfully, but these errors were encountered:

All reactions

JSON