Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: high
Invalid

`MErc20DelegateFixer::repayBadDebtWithCash` the function doesn't check amount input.

Summary

MErc20DelegateFixer::repayBadDebtWithCash since there is no input validation for the amount argument, an unsatisfactory value can be passed in.

Vulnerability Details

As seen below, there is no input validation check for the amount. As such, the function can be called with zero amount.

function repayBadDebtWithCash(uint256 amount) external nonReentrant {
/// Checks and Effects
badDebt = SafeMath.sub(badDebt, amount, "amount exceeds bad debt");
EIP20Interface token = EIP20Interface(underlying);
/// Interactions
require(
token.transferFrom(msg.sender, address(this), amount),
"transfer in failed"
);
emit BadDebtRepayed(amount);
}

Impact

users can pay zero bad debt

Tools Used

Manual

Recommendations

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.