Moonwell
Moonwell
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`MErc20DelegateFixer::repayBadDebtWithCash()` - no mechanism to account for specific user repaying their bad debt.

0xscsamurai

Summary

There's no mechanism to account for specific user repaying their bad debt, so borrower or non-borrower(anyone) can repay all their bad debt without there being any internal accounting evidence for it.

Vulnerability Details

In below function any arbitrary msg.sender can repay all or portion of the bad debt, but there is clearly no internal or any other accounting to account for the specific msg.sender's repayment.

function repayBadDebtWithCash(uint256 amount) external nonReentrant {
/// Checks and Effects
badDebt = SafeMath.sub(badDebt, amount, "amount exceeds bad debt");
EIP20Interface token = EIP20Interface(underlying);
/// Interactions
require(
token.transferFrom(msg.sender, address(this), amount),
"transfer in failed"
);
emit BadDebtRepayed(amount);
}

Impact

  • Borrower with bad debt wont be able to be acknowledged when they repay their bad debt or a portion thereof, it will be equivalent to not having repaid anything.

Tools Used

VSCodium. Manual.

Recommendations

Add internal accounting to account for each msg.sender repaying their bad debt. Add it to the function in question.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other
0xscsamurai Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
0xscsamurai Submitter
over 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.