Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Missing input validation in `MErc20DelegateFixer.repayBadDebtWithCash`

Summary

In MErc20DelegateFixer.sol, the function repayBadDebtWithCash doesn't check amount. Since we know it can be zero (it wouldn't change anything and user pays the gas for nothing).

Vulnerability Details

The vulnerability lies in the function repayBadDebtWithCash within the MErc20DelegateFixer.sol contract. This function lacks a check for the amount parameter, allowing it to be zero. As a result, users can execute the function with a zero amount, which would not alter the contract state but still incur gas costs to the user.

Impact

The impact of this vulnerability is primarily financial and operational. Users may unknowingly or intentionally call the repayBadDebtWithCash function with a zero amount, expecting to repay debt but achieving no change in the contract state. However, they would still be charged transaction fees for gas usage. Over time, this could lead to unnecessary gas expenditure for users and potential frustration due to the lack of expected outcomes. Additionally, it could introduce inefficiencies in the contract's operation and undermine user trust in the system's functionality.

Tools Used

Manual Review

Recommendations

Consider adding a require amount>0.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.