Moonwell - Topmark's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 66/73

Findings: 1

Award: $15.29

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Moonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77

Awards

15.2931 USDC - $15.29

Labels

bug

downgraded by judge

grade-b

low quality report

QA (Quality Assurance)

Q-02

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L848 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L892

Vulnerability details

Impact

Avoidable Multiplication Overflow Error could prevent execution of compulsory code executions causing denial of Service when necessary code needs to be executed but due preventable over flow error it cant be executed

Proof of Concept

 848.     uint256 supplierDelta = mul_(_supplierTokens, deltaIndex);
...
 892.     uint256 supplierDelta = mul_(_BorrowerTokens, deltaIndex);

Tools Used

Solidity,Hardhat

Recommended Mitigation Steps

division in fragment should prevent this

 function mul_(Double memory a, Double memory b) pure internal returns (Double memory) {
   -     return Double({mantissa: mul_(a.mantissa, b.mantissa) / doubleScale});
   +    return Double({mantissa: mul_(a.mantissa, b.mantissa/expScale) / expScale});
    }

Assessed type

DoS

#0 - 0xSorryNotSorry
2023-08-01T10:42:08Z

Technically valid but unrealistic. The values should be at least 2**128 each.

Could be QA.

#1 - c4-pre-sort
2023-08-01T10:42:12Z

0xSorryNotSorry marked the issue as low quality report

#2 - c4-judge
2023-08-13T14:22:21Z

alcueca changed the severity to QA (Quality Assurance)

#3 - c4-judge
2023-08-13T14:22:24Z

alcueca marked the issue as grade-b

Moonwell - Topmark's results

An open lending and borrowing DeFi protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-02] QA Report - $15.29

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - 0xSorryNotSorry2023-08-01T10:42:08Z

#1 - c4-pre-sort2023-08-01T10:42:12Z

#2 - c4-judge2023-08-13T14:22:21Z

#3 - c4-judge2023-08-13T14:22:24Z

#0 - 0xSorryNotSorry
2023-08-01T10:42:08Z

#1 - c4-pre-sort
2023-08-01T10:42:12Z

#2 - c4-judge
2023-08-13T14:22:21Z

#3 - c4-judge
2023-08-13T14:22:24Z