Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: low
Invalid

Lack of Post-Transaction Balance Verification in `repayBadDebtWithCash `Function

Summary

The repayBadDebtWithCash function in the MErc20DelegateFixer contract does not include a verification step to check the balance after the transfer of tokens. This omission may result in a lack of assurance that the transfer was executed as expected, potentially leading to unexpected behavior or vulnerabilities.

Vulnerability Details

The repayBadDebtWithCash function relies on the transferFrom call to withdraw funds from the user's account. However, it lacks a subsequent check to ensure the intended amount was successfully transferred. This can lead to unexpected behavior in the following scenarios:

  • Insufficient User Balance: If the user has insufficient funds to cover the amount requested, the transferFrom call might revert. However, the repayBadDebtWithCash function wouldn't detect this failure and would continue execution, potentially leading to inconsistencies in the bad debt counter and user balances.

  • External Contract Issues: In rare cases, the transferFrom call might fail due to external contract issues beyond the control of this contract. Without a balance check, the function wouldn't be aware of the failure and might proceed with state updates based on an incorrect assumption of successful transfer.

Impact

A missing balance check can have the following consequences:

  • Inaccurate Bad Debt Reduction: The bad debt counter might be incorrectly decremented even if the user transfer fails, leading to discrepancies in accounting.

  • Unintended User Penalty: If the bad debt counter isn't updated correctly, users might be penalized for a failed transfer attempt.

  • Unexpected Contract Behavior: The contract might enter an inconsistent state due to mismatched balance assumptions, potentially impacting other functionalities.

Tools Used

Manual review

Recommendations

To address this vulnerability, it's recommended to add a balance check after the transferFrom call. Here's how:

function repayBadDebtWithCash(uint256 amount) external nonReentrant {
// ... existing code
// Check the balance after transfer
uint256 newBalance = EIP20Interface(underlying).balanceOf(address(this));
require(newBalance >= badDebt - amount, "Transfer failed or insufficient funds");
// ... remaining code
}

We should always be careful and take extra precautions like checking before and after balances in order to protect the protocol from attacks

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.