Moonwell

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The `repayBadDebtWithCash` and `repayBadDebtWithReserves` functions in the `MErc20DelegateFixer` contract make external calls without validating the return values

0xVinylDavyl

Summary

The repayBadDebtWithCash and repayBadDebtWithReserves functions in the MErc20DelegateFixer contract make external calls without validating the return values. This vulnerability can result in inconsistent or invalid contract states if the external calls fail.

Vulnerability Details

From the lack of validation of return values in the repayBadDebtWithCash and repayBadDebtWithReserves functions when interacting with external contracts.

function repayBadDebtWithCash(uint256 amount) external nonReentrant {

// External call without validating return value

require(

token.transferFrom(msg.sender, address(this), amount),

"transfer in failed"

);

// Function implementation...

}

function repayBadDebtWithReserves() external nonReentrant {

// External call without validating return value

uint256 currentReserves = totalReserves;

uint256 currentBadDebt = badDebt;

// Function implementation...

}

Impact

If the transferFrom or other external calls fail, the contract's state may become inconsistent or invalid.
Users may experience financial losses if their intended actions are not executed successfully due to failed external calls.
The protocol's reliability and trustworthiness may be compromised if users encounter unexpected failures or inconsistencies in contract behavior.

Tools Used

Manual

Recommendations

To mitigate the risk of inconsistent contract states and protect users from financial losses, always validate the return values of external calls and handle failure cases appropriately. Consider implementing error handling mechanisms to revert state changes if external calls fail and provide informative error messages to users.

function repayBadDebtWithCash(uint256 amount) external nonReentrant {

// Validate return value of external call

bool success = token.transferFrom(msg.sender, address(this), amount);

require(success, "transfer in failed");

// Function implementation...

}

function repayBadDebtWithReserves() external nonReentrant {

uint256 currentReserves = totalReserves;

uint256 currentBadDebt = badDebt;

// Validate return value of external call

// Handle failure cases appropriately

require(currentReserves != 0 && currentBadDebt != 0, "reserves or bad debt is zero");

// Function implementation...

}

By validating return values and handling failure cases appropriately, the contract can maintain the integrity of its state and ensure reliable and consistent behavior for users.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

394

38 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.