Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 40/73
Findings: 2
Award: $88.25
🌟 Selected for report: 0
🚀 Solo Findings: 0
43.3709 USDC - $43.37
The TemporalGovernor contract has no payable methods, not even a payable receive / fallback function. The only way to put money in it is through selfdestruct (deprecated) or validator reward transfer, which is the same as saying that it was not designed to receive native token.
However, there's nothing stopping proposals to be queued and executed expecting calls to targets with native token value in them. We can see this was expected in _executeProposal's actual execution logic:
address target = targets[i]; uint256 value = values[i]; bytes memory data = calldatas[i]; // Go make our call, and if it is not successful revert with the error bubbling up (bool success, bytes memory returnData) = target.call{value: value}( data ); // @audit-issue any non zero value will make this call unsuccessful.
All we need is a non-zero value proposal coming from Wormhole, this contract is not expected to have value neither has a good way of providing it, so critical governance proposals might never be able to get executed in the chain where this contract is deployed.
Manual review.
Either add some payable receive method or explicitly revert queued proposals with non-zero value.
ETH-Transfer
#0 - c4-pre-sort
2023-08-03T13:20:42Z
0xSorryNotSorry marked the issue as duplicate of #268
#1 - c4-judge
2023-08-12T20:35:09Z
alcueca marked the issue as satisfactory
#2 - c4-judge
2023-08-12T20:35:14Z
alcueca marked the issue as partial-50
#3 - c4-judge
2023-08-21T21:35:22Z
alcueca changed the severity to 2 (Med Risk)
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
44.8793 USDC - $44.88
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L146-L156 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L173-L183
The trustedSenders array makes use of EnumerableSet. When doing an addition of an already present element, the EnumerableSet add method will return false. However, function setTrustedSenders does not check this return value and it still emits a TrustedSenderUpdated event, even though no trusted sender got changed.
A similar thing can be said regarding function unSetTrustedSenders and EnumerableSet's remove method: when the element is not present in the array in the first place, an event still gets emitted.
Manual review.
Check the EnumerableSet's return value to know whether or not it should emit an event.
Loop
#0 - 0xSorryNotSorry
2023-08-02T16:42:27Z
If the function returns, the execution will halt.
Invalid.
#1 - c4-pre-sort
2023-08-02T16:42:30Z
0xSorryNotSorry marked the issue as low quality report
#2 - alcueca
2023-08-14T21:51:14Z
The warden is right, but the events won't be fake, just redundant. Valid as QA.
#3 - c4-judge
2023-08-14T21:51:20Z
alcueca changed the severity to QA (Quality Assurance)
#4 - c4-judge
2023-08-14T21:51:26Z
alcueca marked the issue as grade-a