Back to 2997ms's contests

Moonwell - 2997ms's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 71/73

Findings: 1

Award: $15.29

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMoonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77

Awards

15.2931 USDC - $15.29

Labels

bug
downgraded by judge
grade-b
low quality report
QA (Quality Assurance)
Q-35

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L772-L798 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L1060-L1062

Vulnerability details

Impact

When the smart contracts start to be used, the variable in storage allMarkets will start to be filled with tokens, as there is no mechanism to eliminate elements, this will cause the getAllMarkets() function to generate a DoS with having many tokens.

Proof of Concept

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L772-L798 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L1060-L1062

Tools Used

Manual reading

Add a withdraw() function you could remove the element from allMarkets. This would make the variable not grow without reducing elements.

Assessed type

DoS

#0 - 0xSorryNotSorry

2023-08-02T15:43:51Z

getAllMarkets is a view function and can't be DOS'ed unless being used in a state changing function which doesn't exit inside the codebase.

Invalid.

#1 - c4-pre-sort

2023-08-02T15:43:55Z

0xSorryNotSorry marked the issue as low quality report

#2 - alcueca

2023-08-14T21:26:43Z

getAllMarkets is view, but allMarkets gets used in state-changing function, and the documentation should highlight that governance must be careful with how many markets it adds, because they add to the gas cost of certain functions, and can't be removed. Being able to remove markets would be even better.

#3 - c4-judge

2023-08-14T21:26:47Z

alcueca changed the severity to QA (Quality Assurance)

#4 - c4-judge

2023-08-14T21:26:51Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter