Back to lanrebayode77's contests

Moonwell - lanrebayode77's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 73/73

Findings: 1

Award: $15.29

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMoonwell

Findings Information

🌟 Selected for report: immeas

Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77

Awards

15.2931 USDC - $15.29

Labels

bug
downgraded by judge
grade-b
primary issue
QA (Quality Assurance)
sponsor disputed
edited-by-warden
Q-33

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L232-L233

Vulnerability details

Impact

The mintAllowed function in Compotroller.sol that Checks if the account should be allowed to mint tokens in the given market will begin to fail if totalReserves becomes more than totalCash + totalBorrows, this will cause the function to revert unexpectedly in other to prevent underflow.

Proof of Concept

The design does not make provision to handle a scenario where the totalReserves becomes more than totalCash + totalBorrows

// totalSupplies = totalCash + totalBorrows - totalReserves
            uint totalSupplies = sub_(add_(totalCash, totalBorrows), totalReserves);

Tools Used

Manual review.

Include a conditional statement to cater for such condition.

if(totalCash + totalBorrows  >  totalReserve){
// totalSupplies = totalCash + totalBorrows - totalReserves
            uint totalSupplies = sub_(add_(totalCash, totalBorrows), totalReserves);
} else {
action....
}

Assessed type

Math

#0 - c4-pre-sort

2023-08-03T14:03:45Z

0xSorryNotSorry marked the issue as primary issue

#1 - ElliotFriedman

2023-08-03T21:46:11Z

reserves can be pulled back to admin address by admin, so this is a non issue

#2 - c4-sponsor

2023-08-03T21:46:14Z

ElliotFriedman marked the issue as sponsor disputed

#3 - alcueca

2023-08-13T13:10:20Z

Underflow reverts should have at least one line of natspec so that when you are debugging it in production you suffer a bit less.

#4 - c4-judge

2023-08-13T13:10:27Z

alcueca changed the severity to QA (Quality Assurance)

#5 - c4-judge

2023-08-13T13:10:32Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter