Back to codetilda's contests

Moonwell - codetilda's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 60/73

Findings: 1

Award: $15.29

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMoonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77

Awards

15.2931 USDC - $15.29

Labels

bug
grade-b
QA (Quality Assurance)
Q-48

External Links

Link to GitHub issue

L-001 Should check available amount before transfer funds

Instance 1

MultiRewardDistributor.sol#L471-L487

function _rescueFunds(
address _tokenAddress,
uint256 _amount
) external onlyComptrollersAdmin {
    IERC20 token = IERC20(_tokenAddress);
    // Similar to mTokens, if this is uint256.max that means "transfer everything"
    if (_amount == type(uint256).max) {
        token.safeTransfer(
            comptroller.admin(),
            token.balanceOf(address(this))
        );
    } else {
        @audit Should check available balance
        @audit require( _amount <= token.balanceOf(address(this), "Not enough token balance");
        
        token.safeTransfer(comptroller.admin(), _amount);
    }

    emit FundsRescued(_tokenAddress, _amount);
}

Instance 2

Comptroller.sol#L959-L969

function _rescueFunds(address _tokenAddress, uint _amount) external {
    require(msg.sender == admin, "Unauthorized");

    IERC20 token = IERC20(_tokenAddress);
    // Similar to mTokens, if this is uint.max that means "transfer everything"
    if (_amount == type(uint).max) {
        token.transfer(admin, token.balanceOf(address(this)));
    } else {
        @audit Should check available balance before transfer
        @audit require( _amount <= token.balanceOf(address(this), "Not enough token balance");
        
        token.transfer(admin, _amount);
    }
}

#0 - c4-judge

2023-08-12T18:09:14Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter