Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect cash balance breaks existing integrations

pontifex

Summary

The MToken.getCash external function will return incorrect cash balance of the market until badDebt will be paid out. This can cause unexpected errors, gas and profit losses in integrated contracts since the MErc20DelegateFixer.getCashPrior function modification is performed in existing markets.

Vulnerability Details

The modification of getCashPrior internal function is necessary to prevent mTokens exchange rate changing during a manual user positions liquidation.

function getCashPrior() internal view returns (uint256) {

/// safe math unused intentionally, should never overflow as the sum

/// should never be greater than UINT_MAX

return EIP20Interface(underlying).balanceOf(address(this)) + badDebt;

}

Enterally the getCashPrior function is used in the MToken for receiving the quantity of underlying asset owned by this market. But after the modification of the getCashPrior the MToken.getCashwill return incorrect information about the cash balance:

/**

* @notice Get cash balance of this mToken in the underlying asset

* @return The quantity of underlying asset owned by this contract

function getCash() external view returns (uint) {

return getCashPrior();

}

This function is used by other contracts in interactions with the market. Even the mipm17 contract uses the getCash function to get balance.

333 assertEq(mUSDCMErc20Delegator.getCash(), 0, "mad usdc cash incorrect");

352 assertEq(mETHMErc20Delegator.getCash(), 0, "mad eth cash incorrect");

366 assertEq(mwBTCMErc20Delegator.getCash(), 0, "mad btc cash incorrect");

So external contracts expect to receive actual information about the cash balance of the market but for the modified markets they can receive incorrect value. This can cause unexpected errors, gas and profit losses while other contracts interact with the borrowing on modified markets for as example.

Impact

Unexpected errors, gas and profit losses due to broken integration.

Tools used

Manual Review

Recommendations

Consider overwriting the MToken.getCash function to receive the correct value.

function getCash() external view returns (uint) {

- return getCashPrior();

+ EIP20Interface(underlying).balanceOf(address(this));

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.