Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Missing Zero address check on `fixUser()` function

Summary

The functions fixUser(address liquidator, address user) that take address as an argument are not validating that the address is not 0.

Vulnerability Details

Vulnerability lies in below function

function fixUser(address liquidator, address user) external {
/// @dev check user is admin
require(msg.sender == admin, "only the admin may call fixUser");
/// ensure nothing strange can happen with incorrect liquidator
require(liquidator != user, "liquidator cannot be user");
require(accrueInterest() == 0, "accrue interest failed");
/// @dev fetch user's current borrow balance, first updating interest index
uint256 principal = borrowBalanceStored(user);
require(principal != 0, "cannot liquidate user without borrows");
/// user effects
/// @dev zero balance
accountBorrows[user].principal = 0;
accountBorrows[user].interestIndex = borrowIndex;
/// @dev current amount for a user that we'll transfer to the liquidator
uint256 liquidated = accountTokens[user];
/// can only seize collateral assets if they exist
if (liquidated != 0) {
/// if assets were liquidated, give them to the liquidator
accountTokens[liquidator] = SafeMath.add(
accountTokens[liquidator],
liquidated
);
/// zero out the user's tokens
delete accountTokens[user];
}
/// global effects
/// @dev increment the bad debt counter
badDebt = SafeMath.add(badDebt, principal);
/// @dev subtract the previous balance from the totalBorrows balance
totalBorrows = SafeMath.sub(totalBorrows, principal);
emit UserFixed(user, liquidator, liquidated);
}

Impact

Medium

Tools Used

Manual

Recommendations

+ require( liquidator != address(0),"Zero address not allowed");
+ require(user != address(0) , "Zero address not allowed");
Updates

Lead Judging Commences

floopthepig Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
floopthepig Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.