Moonwell

Summary

The code exhibits potential security concerns related to the use of unsafe ABI encodings, specifically abi.encodeWithSignature and abi.encodeWithSelector. These practices are error-prone and may result in vulnerabilities due to lack of type safety and typo sensitivity.

Vulnerability Details

The vulnerable code sections involve the use of abi.encodeWithSignature in the _pushAction function calls within the _build function. These calls are used to upgrade implementations of MErc20Delegate contracts and perform other actions.

Impact

The lack of type safety in ABI encodings can lead to runtime errors, vulnerabilities, and unexpected behavior. Additionally, typo-sensitive functions like abi.encodeWithSignature can introduce risks if the function signatures are not accurately represented, potentially causing unintended consequences.

Tools Used

Manual review

Recommendations

1.Replace Unsafe ABI Encodings:
Consider replacing the usage of abi.encodeWithSignature with abi.encodeCall. The latter provides type safety and checks whether the supplied values match the expected types of the called function. This can significantly reduce the risk of runtime errors and vulnerabilities.

2.Use Constants for Function Signatures:
When working with function signatures, consider defining constants for the function signatures to avoid typos and enhance code readability. This practice can contribute to a safer and more maintainable codebase.