Moonwell

Summary

fixUser method may be susceptible to attack by malicious miners.

Vulnerability Details

The fixUser method inside MErc20DelegateFixer integrates a check that requires the following property to hold:

 require(accrueInterest() == 0, "accrue interest failed");

If we check how the accuredInterest() method works, we can see the following property:

   if (accrualBlockTimestampPrior == currentBlockTimestamp) {
           return uint(Error.NO_ERROR);
       }

If the block timestamp hasn't advanced (accrualBlockTimestampPrior == currentBlockTimestamp), there's no new interest to accrue, and the function exits early without error, but if the timestamp manipulation impacts the interest calculations adversely, it could lead to unexpected errors in the subsequent math operations.

If an attacker can influence block.timestamp (this will be a malicious miner), he could potentially manipulate the interest calculations in the accrueInterest function. For example, by artificially advancing the timestamp, an attacker might accelerate interest accumulation, resulting in higher interest being calculated than should be the case over the legitimate time frame. Conversely, by delaying the timestamp, they could slow down interest accrual, affecting the system's financial mechanics. This manipulation could impact fixUser method and that could easily fail after the upgrade script is launched.

Impact

Likelihood is low, but impact can be very high if that happens, because the entire process of fixing users, which is automated will fail.

Tools Used

Foundry

Recommendations

Consider to avoid using block.timestamp dependancy during the fixUser method call