Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Access Control in repayBadDebtWithReserves() opens way for dire discrepancies.

tigerfrake

Summary

The intended use of the repayBadDebtWithReserves() function is to decrease both bad debt and reserves in a lending protocol. It is designed to be called when there are sufficient reserves available and when there is outstanding bad debt to be addressed. By reducing bad debt and reserves simultaneously, the function helps to improve the financial health of the lending protocol and maintain its stability.

This function is meant to be invoked under controlled circumstances and thus should typically be restricted to authorized entities to ensure responsible management of the protocol's resources.
However, Allowing anyone to call the repayBadDebtWithReserves() function could lead to several potential issues.

Vulnerability Details

function repayBadDebtWithReserves() external nonReentrant {

uint256 currentReserves = totalReserves;

uint256 currentBadDebt = badDebt;

require(currentReserves != 0, "reserves are zero");

require(currentBadDebt != 0, "bad debt is zero");

/// no reverts possible past this point

/// take the lesser of the two, subtract it from both numbers

uint256 subtractAmount = currentBadDebt < currentReserves

? currentBadDebt

: currentReserves;

/// bad debt -= subtract amount

badDebt = SafeMath.sub(currentBadDebt, subtractAmount);

/// current reserves -= subtract amount

totalReserves = SafeMath.sub(currentReserves, subtractAmount);

emit BadDebtRepayedWithReserves(

badDebt,

currentBadDebt,

totalReserves,

currentReserves

);

}

There are no Access control whatsoever in this function making it callabe by anyone including malicious entities.

Impact

Misuse of Reserves: If anyone can call this function, they could potentially drain the reserves of the lending protocol, which are crucial for covering unexpected losses, managing liquidity, and maintaining stability. This could leave the protocol vulnerable in case of emergencies or large-scale liquidation events.
Manipulation of Bad Debt: Allowing unrestricted access to reduce bad debt could enable malicious actors to manipulate the system by artificially reducing bad debt without legitimate cause. This could distort the financial health of the protocol and undermine its integrity.
Economic Imbalance: Uncontrolled reduction of bad debt and reserves without proper oversight or justification could disrupt the economic balance within the lending protocol. It could lead to inaccurate risk assessment, misallocation of resources, and potentially unsustainable operations.
Lack of Accountability: Allowing anyone to call this function removes accountability and oversight, as there are no checks or balances in place to ensure that the reduction of bad debt and reserves is done in a responsible and transparent manner.

Tools Used

Manual Review

Recommendations

To mitigate these issues, it's essential to implement proper access controls, such as permissioned roles or governance mechanisms, to restrict who can call this function. Additionally, clear guidelines and criteria should be established for when and how this function can be used to ensure responsible management of bad debt and reserves.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.