Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Post-Transaction Balance Verification in `repayBadDebtWithCash `Function

0xbhumii

Summary

The repayBadDebtWithCash function in the MErc20DelegateFixer contract does not include a verification step to check the balance after the transfer of tokens. This omission may result in a lack of assurance that the transfer was executed as expected, potentially leading to unexpected behavior or vulnerabilities.

Vulnerability Details

The repayBadDebtWithCash function relies on the transferFrom call to withdraw funds from the user's account. However, it lacks a subsequent check to ensure the intended amount was successfully transferred. This can lead to unexpected behavior in the following scenarios:

Insufficient User Balance: If the user has insufficient funds to cover the amount requested, the transferFrom call might revert. However, the repayBadDebtWithCash function wouldn't detect this failure and would continue execution, potentially leading to inconsistencies in the bad debt counter and user balances.
External Contract Issues: In rare cases, the transferFrom call might fail due to external contract issues beyond the control of this contract. Without a balance check, the function wouldn't be aware of the failure and might proceed with state updates based on an incorrect assumption of successful transfer.

Impact

A missing balance check can have the following consequences:

Inaccurate Bad Debt Reduction: The bad debt counter might be incorrectly decremented even if the user transfer fails, leading to discrepancies in accounting.
Unintended User Penalty: If the bad debt counter isn't updated correctly, users might be penalized for a failed transfer attempt.
Unexpected Contract Behavior: The contract might enter an inconsistent state due to mismatched balance assumptions, potentially impacting other functionalities.

Tools Used

Manual review

Recommendations

To address this vulnerability, it's recommended to add a balance check after the transferFrom call. Here's how:

function repayBadDebtWithCash(uint256 amount) external nonReentrant {

// ... existing code

// Check the balance after transfer

uint256 newBalance = EIP20Interface(underlying).balanceOf(address(this));

require(newBalance >= badDebt - amount, "Transfer failed or insufficient funds");

// ... remaining code

}

We should always be careful and take extra precautions like checking before and after balances in order to protect the protocol from attacks

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.