Back to 33audits's contests

Moonwell - 33audits's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 53/73

Findings: 1

Award: $44.88

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMoonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77

Awards

44.8793 USDC - $44.88

Labels

bug
downgraded by judge
grade-a
primary issue
QA (Quality Assurance)
sponsor disputed
Q-30

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MToken.sol#L159

Vulnerability details

Impact

The approve function overrides the ERC20 function and allows a user to approve someone else to spend tokens on their behalf. However, there are some tokens (LEND) that will revert if the allowance isn't set to zero before changing the allowance. Consider setting allowance to zero first as this is safer against front-running attacks and will also allow for tokens that need approve(0) to be set first.

Proof of Concept

       address src = msg.sender;
       transferAllowances[src][spender] = amount;
       emit Approval(src, spender, amount);
       return true;
   }

Tools Used

Manual review.

        address src = msg.sender;
        transferAllowances[src][spender] = 0;
        transferAllowances[src][spender] = amount;
        emit Approval(src, spender, amount);
        return true;
    }

Assessed type

Token-Transfer

#0 - c4-pre-sort

2023-08-03T14:03:18Z

0xSorryNotSorry marked the issue as primary issue

#1 - ElliotFriedman

2023-08-03T21:48:22Z

not a real issue

#2 - c4-sponsor

2023-08-03T21:48:25Z

ElliotFriedman marked the issue as sponsor disputed

#3 - alcueca

2023-08-12T22:16:42Z

Valid as QA, should be added to the governance guidelines on which tokens are not compatible with the protocol.

#4 - c4-judge

2023-08-12T22:16:56Z

alcueca changed the severity to QA (Quality Assurance)

#5 - c4-judge

2023-08-12T22:17:00Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter