Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Inadequate Debt Repayment Mechanism in repayBadDebtWithReserves

Summary

The repayBadDebtWithReserves function in the MErc20DelegateFixer contract adjusts the bad debt and reserves without directly repaying any debt. While the function aims to decrease both bad debt and reserves simultaneously, it lacks a mechanism to effectively repay the bad debt, potentially leading to incomplete debt management.

Vulnerability Details

The vulnerability lies in the repayBadDebtWithReserves function within the MErc20DelegateFixer contract. While the function is intended to manage bad debt by utilizing reserves, it lacks a mechanism to directly repay the bad debt. Let's delve into the details to understand why this presents a vulnerability.

  • The repayBadDebtWithReserves function is designed to reduce both the bad debt and reserves by an amount determined by the lesser of the two values. This mechanism is implemented to ensure that bad debt and reserves are adjusted in sync, maintaining the balance between them.

  • The function begins by fetching the current values of reserves and bad debt. It then calculates the amount to subtract from both reserves and bad debt, ensuring that the reduction is consistent.
    The subtracted amount is determined by selecting the lesser of the current bad debt or reserves.
    After the subtraction, both bad debt and reserves are updated accordingly.

  • The critical issue with this function is that it solely focuses on adjusting the internal accounting of bad debt and reserves without involving any direct repayment of the debt.
    Unlike the repayBadDebtWithCash function, which facilitates direct repayment of bad debt using external assets, repayBadDebtWithReserves does not involve any transfer of assets to repay the debt.
    As a result, the bad debt liability remains unresolved within the system, leading to potential discrepancies in accounting and incomplete debt management.

  • The absence of a mechanism for direct debt repayment undermines the effectiveness of the contract's debt management strategy.
    Without a direct repayment mechanism, the bad debt liability persists within the system, potentially leading to inaccuracies in accounting and financial instability.
    Additionally, incomplete debt management may erode user trust and confidence in the platform's ability to handle defaults effectively.

  • The vulnerability stems from a design oversight wherein the function focuses solely on adjusting internal accounting without considering the necessity of directly repaying the bad debt.
    The oversight may result from a misunderstanding of the importance of comprehensive debt management or an assumption that reserve adjustments alone suffice to mitigate bad debt.

function repayBadDebtWithReserves() external nonReentrant {
uint256 currentReserves = totalReserves;
uint256 currentBadDebt = badDebt;
require(currentReserves != 0, "reserves are zero");
require(currentBadDebt != 0, "bad debt is zero");
uint256 subtractAmount = currentBadDebt < currentReserves
? currentBadDebt
: currentReserves;
badDebt = SafeMath.sub(currentBadDebt, subtractAmount);
totalReserves = SafeMath.sub(currentReserves, subtractAmount);
emit BadDebtRepayedWithReserves(
badDebt,
currentBadDebt,
totalReserves,
currentReserves
);
}

Impact

The impact of this vulnerability is that the bad debt remains unresolved despite adjustments to reserves. As a result, the contract's debt management may be incomplete, potentially leading to financial instability or inaccuracies in accounting.

Tools Used

Manual

Recommendations

A mitigation strategy involves enhancing the repayBadDebtWithReserves function to incorporate a mechanism for direct debt repayment. This enhancement could involve transferring assets equivalent to the decreased bad debt from the contract to the lender or another designated recipient.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.