Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: high
Invalid

[H-1] - incorrect operation messes up the badDebt logic in the `MErc20DelegateFixer` contract

Summary

as stated in the fixUser() function comments:
this can only reduce or keep user and total debt the same

Vulnerability Details

The statement in the fixUser() function comments is neglected in the following LoC:

badDebt = SafeMath.add(badDebt, principal);

By this operation the total debt is increased and then also its contrary to

totalBorrows = SafeMath.sub(totalBorrows, principal);

as it is not possible for the total debt to increase as the total borrows decreases

Impact

Messes up the whole bad debt logic of the system

Tools Used

Manual review

Recommendations

function fixUser(address liquidator, address user) external {
/// @dev check user is admin
require(msg.sender == admin, "only the admin may call fixUser");
/// ensure nothing strange can happen with incorrect liquidator
require(liquidator != user, "liquidator cannot be user");
require(accrueInterest() == 0, "accrue interest failed");
/// @dev fetch user's current borrow balance, first updating interest index
uint256 principal = borrowBalanceStored(user);
require(principal != 0, "cannot liquidate user without borrows");
/// user effects
/// @dev zero balance
accountBorrows[user].principal = 0;
accountBorrows[user].interestIndex = borrowIndex;
/// @dev current amount for a user that we'll transfer to the liquidator
uint256 liquidated = accountTokens[user];
/// can only seize collateral assets if they exist
if (liquidated != 0) {
/// if assets were liquidated, give them to the liquidator
accountTokens[liquidator] = SafeMath.add(
accountTokens[liquidator],
liquidated
);
/// zero out the user's tokens
delete accountTokens[user];
}
/// global effects
/// @dev increment the bad debt counter
- badDebt = SafeMath.add(badDebt, principal);
+ badDebt = SafeMath.sub(badDebt, principal);
/// @dev subtract the previous balance from the totalBorrows balance
totalBorrows = SafeMath.sub(totalBorrows, principal);
emit UserFixed(user, liquidator, liquidated);
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.