Moonwell - sces60107's results

An open lending and borrowing DeFi protocol.

General Information

Platform: Code4rena

Start Date: 24/07/2023

Pot Size: $100,000 USDC

Total HM: 18

Participants: 73

Period: 7 days

Judge: alcueca

Total Solo HM: 8

Id: 267

League: ETH

Moonwell

Findings Distribution

Researcher Performance

Rank: 20/73

Findings: 2

Award: $567.29

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Moonwell

Findings Information

🌟 Selected for report: Aymen0909

Also found by: ABAIKUNANBAEV, Jigsaw, hals, sces60107

Labels

bug

2 (Med Risk)

satisfactory

sponsor confirmed

duplicate-276

Awards

523.9156 USDC - $523.92

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L261

Vulnerability details

Impact

It is said that TemporalGovernor.fastTrackProposalExecution Allows the guardian to process a VAA when the TemporalGovernor is paused. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L261

    /// @notice Allow the guardian to process a VAA when the
    /// Temporal Governor is paused this is only for use during
    /// periods of emergency when the governance on moonbeam is
    /// compromised and we need to stop additional proposals from going through.
    /// @param VAA The signed Verified Action Approval to process

However, it can be executed even if the temporal governor is not paused.

Proof of Concept

TemporalGovernor.fastTrackProposalExecution Allows the guardian to process a VAA when the TemporalGovernor is paused. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266

    /// @notice Allow the guardian to process a VAA when the
    /// Temporal Governor is paused this is only for use during
    /// periods of emergency when the governance on moonbeam is
    /// compromised and we need to stop additional proposals from going through.
    /// @param VAA The signed Verified Action Approval to process
    function fastTrackProposalExecution(bytes memory VAA) external onlyOwner {
        _executeProposal(VAA, true); /// override timestamp checks and execute
    }

But it doesn’t check the pause status of the contract. The guardian can execute it when the temporal governor is not paused.

Tools Used

Manual Review

Recommended Mitigation Steps

Add whenPaused on fastTrackProposalExecution

-   function fastTrackProposalExecution(bytes memory VAA) external onlyOwner {
+   function fastTrackProposalExecution(bytes memory VAA) external whenPaused onlyOwner {
        _executeProposal(VAA, true); /// override timestamp checks and execute
    }

Assessed type

Access Control

#0 - c4-pre-sort
2023-08-03T13:53:10Z

0xSorryNotSorry marked the issue as primary issue

#1 - c4-sponsor
2023-08-03T22:04:33Z

ElliotFriedman marked the issue as sponsor confirmed

#2 - alcueca
2023-08-12T20:40:58Z

As I read the natspec, it says it should be usable when paused, but it doesn't say that it shouldn't be usable when not paused. However, I'll defer to the sponsor as to validity.

#3 - c4-judge
2023-08-12T20:42:40Z

alcueca marked issue #276 as primary and marked this issue as a duplicate of 276

#4 - c4-judge
2023-08-12T20:42:50Z

alcueca marked the issue as satisfactory

Findings Information

🌟 Selected for report: hals

Also found by: 0x70C9, 0xComfyCat, 0xl51, Kaysoft, RED-LOTUS-REACH, T1MOH, Tendency, Vagner, bin2chen, immeas, kodyvim, sces60107

Labels

bug

2 (Med Risk)

downgraded by judge

partial-50

duplicate-268

Awards

43.3709 USDC - $43.37

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266

Vulnerability details

Impact

TemporalGovernor can execute proposals. But it cannot execute proposals with value != 0. The function doesn’t have a payable modifier. And there is no receive() in the contract.

Proof of Concept

There is no payable modifier on executeProposal and fastTrackProposalExecution. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266

    function executeProposal(bytes memory VAA) public whenNotPaused {
        _executeProposal(VAA, false);
    }

    function fastTrackProposalExecution(bytes memory VAA) external onlyOwner {
        _executeProposal(VAA, true); /// override timestamp checks and execute
    }

And the TemporalGovernor doesn’t have a receive() function.

But _executeProposal should be able to make a call with value greater than zero. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400

    function _executeProposal(bytes memory VAA, bool overrideDelay) private {
        …

        for (uint256 i = 0; i < targets.length; i++) {
            address target = targets[i];
            uint256 value = values[i];
            bytes memory data = calldatas[i];

            // Go make our call, and if it is not successful revert with the error bubbling up
            (bool success, bytes memory returnData) = target.call{value: value}(
                data
            );

            /// revert on failure with error message if any
            require(success, string(returnData));

            emit ExecutedTransaction(target, value, data);
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Add payable modifier on those functions or add receive() in TemporalGovernor

Assessed type

ETH-Transfer

#0 - c4-pre-sort
2023-08-03T13:21:36Z

0xSorryNotSorry marked the issue as duplicate of #268

#1 - c4-judge
2023-08-12T20:37:30Z

alcueca marked the issue as satisfactory

#2 - c4-judge
2023-08-12T20:37:34Z

alcueca marked the issue as partial-50

#3 - c4-judge
2023-08-21T21:35:22Z

alcueca changed the severity to 2 (Med Risk)

Moonwell - sces60107's results

An open lending and borrowing DeFi protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[M-08] `TemporalGovernor.fastTrackProposalExecution` should add `whenPaused` - $523.92

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-08-03T13:53:10Z

#1 - c4-sponsor2023-08-03T22:04:33Z

#2 - alcueca2023-08-12T20:40:58Z

#3 - c4-judge2023-08-12T20:42:40Z

#4 - c4-judge2023-08-12T20:42:50Z

[M-09] `TemporalGovernor` cannot execute proposals with value != 0 - $43.37

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-08-03T13:21:36Z

#1 - c4-judge2023-08-12T20:37:30Z

#2 - c4-judge2023-08-12T20:37:34Z

#3 - c4-judge2023-08-21T21:35:22Z

#0 - c4-pre-sort
2023-08-03T13:53:10Z

#1 - c4-sponsor
2023-08-03T22:04:33Z

#2 - alcueca
2023-08-12T20:40:58Z

#3 - c4-judge
2023-08-12T20:42:40Z

#4 - c4-judge
2023-08-12T20:42:50Z

#0 - c4-pre-sort
2023-08-03T13:21:36Z

#1 - c4-judge
2023-08-12T20:37:30Z

#2 - c4-judge
2023-08-12T20:37:34Z

#3 - c4-judge
2023-08-21T21:35:22Z