Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`MErc20DelegateFixer::fixUser` will not allow to Liquidate user if `accrueInterest()` always return non-zero value.

0xaman

Summary

When we attempt to fix a user, the contract updates the borrowIndex by calling the accrueInterest() and checks if it returns 0. If it does, then it allows us to fix the user. However, it does not address an edge case where accrueInterest() always returns a non-zero value

Vulnerability Details

The fixUser() fixes the user after the borrowIndex is updated with the latest value. However, there will be cases where the accrueInterest() will not return a zero value. In such cases, the user will not be fixed, and they will create an unremovable bad debt in the system. There must be a way for a protocol to remove the user without updating the borrowIndex, because the bad debt must be removed in any case.

Note : The user will be liquidated on Pervious BorrowIndex.

Impact

The User will not be Liquidated and DabDebt can not be removed.

Tools Used

Manual Review

Recommendation

Add a Flag which will help to handle this edge case. following change will handle this case:

diff --git a/src/MErc20DelegateFixer.sol b/src/MErc20DelegateFixer.sol

index 20c7fbe..135129e 100644

--- a/src/MErc20DelegateFixer.sol

+++ b/src/MErc20DelegateFixer.sol

@@ -80,14 +80,14 @@ contract MErc20DelegateFixer is MErc20Delegate {

/// invariant, this can only reduce or keep user and total debt the same

/// liquidator will never be the same as user, only governance can call this function

/// assumes governance is non malicious, and that all users liquidated have active borrows

- function fixUser(address liquidator, address user) external {

+ function fixUser(address liquidator, address user , bool forceFix) external {

/// @dev check user is admin

require(msg.sender == admin, "only the admin may call fixUser");

/// ensure nothing strange can happen with incorrect liquidator

require(liquidator != user, "liquidator cannot be user");

- require(accrueInterest() == 0, "accrue interest failed");

+ require(forceFix || accrueInterest() == 0, "accrue interest failed");

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

0xaman Submitter

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.