Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 57/73
Findings: 1
Award: $44.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
44.8793 USDC - $44.88
The require() check inside the mintAllowed() function checks to see if nextTotalSupplies < supplyCap, not allowing the user to be approved to mint.
While this should be appropriate if the nextTotalSupplies is greater than the supply cap, it explicitly uses the < symbol. Is the user not allowed to mind if nextTotalSupplies == supplyCap? If that were the case he should replace "<" with "<=".
I also found this inside the borrowAllowed() function with the same idea, except for nextTotalBorrows < borrowCap. Forgive me if my explanation is poor, I am a beginner.
Recommendation: If users are allowed to borrow or mint when we are == to the cap and not explicitly less than it, we should replace "<" with "<="
Instances:
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L236C1-L236C1 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L341C13-L341C13
#0 - c4-judge
2023-08-12T17:44:12Z
alcueca marked the issue as grade-a
#1 - c4-sponsor
2023-08-15T18:31:00Z
ElliotFriedman marked the issue as sponsor disputed
#2 - ElliotFriedman
2023-08-15T18:31:36Z
users should be able to mint only up to less than the supply cap
#3 - midori-fuse
2023-08-23T06:31:20Z
How is this grade A?
There is a single finding, in which the sponsor disputed. Furthermore given that total deposits and borrows continuously accrue through interest, it should not be realistic that anyone is able to mint up to the exact cap. Even if they do so, why would it be a problem if they are only able to deposit/borrow one wei less than intended?
In any case this is much less impactful than numerous other grade B reports. There are also no HM findings judged as QA by this warden.