Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Missing access Modifier on `repayBadDebtWithReserves()` function allows any User/Attacker to repay bad debt with reserves , which should be done by admin according to Need

Summary

In the contract MErc20DelegateFixer.sol the function repayBadDebtWithReserves() is an external function which allows every user to call this function , which can lead to repaying of badDebt with reserves at any time . This function should only be called by admin only if there is need to repay badDebt .

Vulnerability Details

function repayBadDebtWithCash(uint256 amount) external nonReentrant {
/// Checks and Effects
badDebt = SafeMath.sub(badDebt, amount, "amount exceeds bad debt");
EIP20Interface token = EIP20Interface(underlying);
/// Interactions
require(
token.transferFrom(msg.sender, address(this), amount),
"transfer in failed"
);
emit BadDebtRepayed(amount);
}

Impact

Medium

Tools Used

Manual Review

Recommendations

+ require(msg.sender == admin, "only the admin may repay debt");
Updates

Lead Judging Commences

floopthepig Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other
floopthepig Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.