Back to ABAIKUNANBAEV's contests

Moonwell - ABAIKUNANBAEV's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 25/73

Findings: 2

Award: $321.64

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMoonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0xkazim, ABAIKUNANBAEV, T1MOH, berlin-101, bin2chen, kutugu, markus_ether

Labels

bug
2 (Med Risk)
partial-25
duplicate-314

Awards

59.6773 USDC - $59.68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L249

Vulnerability details

Impact

In TemporalGovernor.sol, there is permissionlessUnpauseTime that can be set in the constructor by the owner (the guardian). The guardian has the right to set this parameter but the governance decides whether to grant the guardian the pausing ability or not. The problem is that, after calling togglePause() function, the guardian ability is revoked and the permissionlessUnpause() will be called when it's past pause window. The guardian has influence over permissionlessUnpauseTime and can set it to any number so that the contract cannot be unpaused again.

Proof of Concept

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L69 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L248-251

Tools Used

Manual review

Set some bounds for permissionlessUnpauseTime so that the guardian couldn't possibly manipulate it.

Assessed type

Timing

#0 - c4-pre-sort

2023-08-03T13:29:18Z

0xSorryNotSorry marked the issue as duplicate of #232

#1 - c4-judge

2023-08-12T20:50:04Z

alcueca marked the issue as satisfactory

#2 - c4-judge

2023-08-12T20:50:15Z

alcueca marked the issue as partial-25

Findings Information

🌟 Selected for report: Aymen0909

Also found by: ABAIKUNANBAEV, Jigsaw, hals, sces60107

Labels

bug
2 (Med Risk)
partial-50
duplicate-276

Awards

261.9578 USDC - $261.96

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266

Vulnerability details

Impact

In TemporalGovernor.sol, the guardian is supposed to call fastTrackProposalExecution() in a pausing state of the contract when the governance is compromised and it's crucial to execute new proposals fast with queueTime == 0. However, current implementation of this function contains only onlyOwner modifier and it doesn't make sure that the contract is in a pausing state. This opens up a possibility for the guardian to execute any proposals without delay.

Proof of Concept

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266-268 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L364-367

Tools Used

Manual review.

Add whenPaused modifier to the fastTrackProposalExecution() function

Assessed type

Other

#0 - c4-pre-sort

2023-08-03T13:53:46Z

0xSorryNotSorry marked the issue as duplicate of #245

#1 - c4-judge

2023-08-12T20:42:22Z

alcueca marked the issue as satisfactory

#2 - c4-judge

2023-08-12T20:42:26Z

alcueca marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter