Moonwell

Summary

The smart contract MErc20DelegateFixer uses SafeMath for arithmetic operations to prevent overflow and underflow vulnerabilities. However, the contract inconsistently applies custom error messages across different uses of the SafeMath.sub operation. Specifically, the repayBadDebtWithReserves function does not provide custom error messages for subtraction operations, potentially making debugging more difficult and obscuring the reason for transaction failures to end-users.

Vulnerability Details

In Solidity, arithmetic operations can lead to underflows or overflows, which are critical vulnerabilities. The SafeMath library is used to prevent such issues by reverting transactions when an operation would result in an underflow or overflow. Custom error messages in SafeMath operations can help identify the exact cause of the failure, making it easier for developers to debug and for users to understand why a transaction failed.

The repayBadDebtWithCash function correctly uses a custom error message ("amount exceeds bad debt") with SafeMath.sub to provide clarity in case of an underflow:

However, the repayBadDebtWithReserves function does not provide custom error messages for its subtraction operations:

This inconsistency could lead to generic revert messages that do not help in identifying the cause of failure, especially in complex transactions involving multiple arithmetic operations.

Impact

Developers may find it more challenging to identify and fix issues without specific error messages indicating the cause of transaction reverts.

Tools Used

Manual review

Recommendations

Apply custom error messages uniformly across all SafeMath operations in the contract to enhance clarity and debugging efficiency.

For the repayBadDebtWithReserves function, modify the subtraction operations to include custom error messages: