Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 18/73
Findings: 3
Award: $589.38
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0xComfyCat, Vagner, ast3ros, kutugu, markus_ether, volodya
151.5613 USDC - $151.56
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/Governance/TemporalGovernor.sol#L322 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/Governance/TemporalGovernor.sol#L344-L409
A proposal for another contract can be executed in the TemporalGovernor contract if the guardian turns malicious. It can happen because if the guardian uses fastTrackProposalExecution, the _executeProposal function does not check the intendedRecipient of the proposal. The intendedRecipient is the address of the contract that the proposal is for.
The guardian account can call fastTrackProposalExecution to execute a proposal without queuing. The intended recipient is checked in queueProposal but not in executeProposal.
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/Governance/TemporalGovernor.sol#L322 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/Governance/TemporalGovernor.sol#L344-L409
Therefore, the guardian has the ability to execute a proposal not intended for the Temporal Governor. If the guardian is malicious, it can use this loophole to execute a proposal and set the protocol to a wrong state.
Manual Review
Add the intended recipient check in _executeProposal function.
function _executeProposal(bytes memory VAA, bool overrideDelay) private { ... require( trustedSenders[vm.emitterChainId].contains(vm.emitterAddress), /// allow multiple per chainid "TemporalGovernor: Invalid Emitter Address" ); + require(intendedRecipient == address(this), "TemporalGovernor: Incorrect destination"); ... }
Context
#0 - c4-pre-sort
2023-08-03T13:24:25Z
0xSorryNotSorry marked the issue as duplicate of #308
#1 - c4-judge
2023-08-12T20:29:06Z
alcueca marked the issue as satisfactory
#2 - c4-judge
2023-08-12T20:29:10Z
alcueca marked the issue as partial-50
🌟 Selected for report: 0xWaitress
Also found by: 0xWaitress, Nyx, ast3ros, catellatech, kodyvim, nadin
392.9367 USDC - $392.94
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/JumpRateModel.sol#L74 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/WhitePaperInterestRateModel.sol#L57
The expected utilization rate is between 0 and 1e18. However, the utilization rate can be more than 1e18 when the reserve is more than cash.
The utilization rate is calculated by the following formula:
borrows / (cash + borrows - reserves)
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/JumpRateModel.sol#L74 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/WhitePaperInterestRateModel.sol#L57
However, when the protocol runs for a very long time, the reserves can accumulate and can be more than cash. Therefore, the utilization rate can be more than 1e18.
For reference, please check this issue: https://github.com/code-423n4/2023-05-venus-findings/issues/122
Manual Review
Add a case where the utilization rate returns 1 if reserves > cash.
Other
#0 - c4-pre-sort
2023-08-03T14:02:30Z
0xSorryNotSorry marked the issue as duplicate of #135
#1 - ElliotFriedman
2023-08-03T21:42:57Z
reserves can be pulled back to admin address by admin, so this is a non issue
#2 - c4-sponsor
2023-08-03T21:43:01Z
ElliotFriedman marked the issue as sponsor disputed
#3 - c4-judge
2023-08-13T13:43:38Z
alcueca marked the issue as satisfactory
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
44.8793 USDC - $44.88
There is no min and max checking when setting closeFactorMantissa. The admin can mistakenly set it to wrong number that break the operation of the protocol. For example if it is set to 0, no one can liquidate. If it set to more than 1, the liquidation and accounting process will be wrong.
Some key parameters, such as closeFactorMantissa and liquidationIncentiveMantissa, are not set in the constructor. This can cause the protocol to operate incorrectly if the admin forgets to call the function to set them later.
It is advisable to set default values for these parameters in the constructor, so that they are initialized when the contract is deployed. This can prevent potential errors and ensure the proper functioning of the protocol.
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/Comptroller.sol#L70-L72 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/ComptrollerStorage.sol#L40 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/ComptrollerStorage.sol#L45
protocolSeizeShareMantissa is not set in the initialize function. This can cause the protocol to operate incorrectly if the admin forgets to call the function to set it later.
It is advisable to set default values for these parameters in the initialize function, so that they are initialized when the contract is deployed. This can prevent potential errors and ensure the proper functioning of the protocol.
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/MErc20.sol#L23-L36 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/MTokenInterfaces.sol#L81
The current code uses the variable name blockDelta to store the difference between the current and the previous block timestamps. This can be misleading, as it implies that the variable represents the number of blocks, not the time elapsed.
A better name for this variable would be blockTimeStampDelta, as it clearly indicates that it is the delta of the block timestamps. This can avoid confusion and make the code more readable and understandable.
1e18 value should be replaced with constant to improve readability.
https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/WhitePaperInterestRateModel.sol#L38-L39 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/WhitePaperInterestRateModel.sol#L57 https://github.com/code-423n4/2023-07-moonwell/blob/657fb2bcdb25ef44a4826b08390677c3fd41b92d/src/core/IRModels/WhitePaperInterestRateModel.sol#L83-L84
#0 - c4-judge
2023-08-12T17:34:22Z
alcueca marked the issue as grade-a
#1 - c4-sponsor
2023-08-15T18:33:29Z
ElliotFriedman marked the issue as sponsor confirmed