Moonwell

Vulnerability Details

fixUser from MErc20DelegateFixer works as follows:

After some necessary checks the principal of the user is stored in memory (variable principal), checked against value 0 then changed to value 0. Following that the whole user’s balance in stored in memory (variable liquidated). The problem comes in the following check, where if liquidated is not 0 then we end up moving the whole balance to the liquidator and delete the balance of the user. What happens if liquidated > owed amount? The user will unjustly lose the difference.

PoC

(1) Alice found herself on one of the unhealthy (mFRAX.json or mcxDOT.json) lists.

(2) She realizes the problem and starts gathering tokens to repay her debt by buying or borrowing more on another address using some fresh collateral

(3) She sends all she can gather daily to the address in hopes of gathering enough to pay her borrowed amount and avoid liquidation.

(4) mip-m17 gets implemented and when her turn comes to be the target of fixUser her balance will be deleted, even if she had enough to pay her borrowed amount.

Impact

Likelyhood - Low - This is an edge case, it has low chances of happening.
Impact - High - User's funds are deleted.

Severity: Medium

Tools Used

Manual review

Recommendations

Check if the liquidated variable is bigger than the owed amount and liquidate only up to the owed amount, leaving the rest of the balance to the rightful owner.