Moonwell
Moonwell
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`MErc20DelegateFixer::repayBadDebtWithReserves` can be call by anyone to pay bad debt.

0xaman

Summary

The protocol allows the repayment of bad debt using its reserves by calling repayBadDebtWithReserves. However, the function is external and has no access rights, which means that anyone can call this function and pay off bad debt.

Vulnerability Details

The protocol allows the repayment of bad debt with cash or reserves. The reserves are held in custody by the protocol, and their usage must be restricted to the admin or multisig controlled by the protocol team. However, in this new implementation, anyone can call repayBadDebtWithReserves and repay the bad debt with protocol reserves

Impact

Any one can call this function and use totalReserve to pay bad debt

Tools Used

Manual Review

Recommendation

Add a Access rights:

diff --git a/src/MErc20DelegateFixer.sol b/src/MErc20DelegateFixer.sol
--- a/src/MErc20DelegateFixer.sol
+++ b/src/MErc20DelegateFixer.sol
@@ -47,6 +47,9 @@ contract MErc20DelegateFixer is MErc20Delegate {
/// calling this function cannot change the share price
/// both bad debt and reserves will decrement by the same amount
function repayBadDebtWithReserves() external nonReentrant {
+ require(msg.sender == admin, "only the admin may call fixUser");
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.