Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unrestricted Access to `repayBadDebtWithReserves` in `MErc20DelegateFixer.sol` contract

0xaadhi

Summary

The repayBadDebtWithReserves function is publicly accessible without any access control, allowing any user to potentially misuse the function and deplete the protocol's reserves.

Vulnerability Details

The function is designed to reduce the badDebt and totalReserves of the contract. It lacks an onlyAdmin or similar access control modifier, which should restrict the execution to authorized personnel, such as contract administrators or governance mechanisms.

Impact

If exploited, an attacker or any user could call this function repeatedly to drain the reserves of the protocol, leading to financial instability. This could also affect the protocol's ability to cover bad debt in the future.

Tools Used

Manual Review

Recommendations

Implement an access control mechanism to restrict the use of repayBadDebtWithReserves. This can be done by adding a modifier that checks whether the caller is an authorized admin

function repayBadDebtWithReserves() external nonReentrant {

+ require(msg.sender == admin, "only the admin may call repayBadDebtWithReserves");

uint256 currentReserves = totalReserves;

uint256 currentBadDebt = badDebt;

require(currentReserves != 0, "reserves are zero");

require(currentBadDebt != 0, "bad debt is zero");

/// no reverts possible past this point

/// take the lesser of the two, subtract it from both numbers

uint256 subtractAmount = currentBadDebt < currentReserves

? currentBadDebt

: currentReserves;

/// bad debt -= subtract amount

badDebt = SafeMath.sub(currentBadDebt, subtractAmount);

/// current reserves -= subtract amount

totalReserves = SafeMath.sub(currentReserves, subtractAmount);

emit BadDebtRepayedWithReserves(

badDebt,

currentBadDebt,

totalReserves,

currentReserves

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.