Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
ElliotFriedman marked the issue as sponsor confirmed
As I read the natspec, it says it should be usable when paused, but it doesn't say that it shouldn't be usable when not paused. However, I'll defer to the sponsor as to validity.
alcueca marked issue #276 as primary and marked this issue as a duplicate of 276
alcueca marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L261
Vulnerability details
Impact
It is said that
TemporalGovernor.fastTrackProposalExecution
Allows the guardian to process a VAA when theTemporalGovernor
is paused. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L261However, it can be executed even if the temporal governor is not paused.
Proof of Concept
TemporalGovernor.fastTrackProposalExecution
Allows the guardian to process a VAA when theTemporalGovernor
is paused. https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266But it doesn’t check the pause status of the contract. The guardian can execute it when the temporal governor is not paused.
Tools Used
Manual Review
Recommended Mitigation Steps
Add
whenPaused
on fastTrackProposalExecutionAssessed type
Access Control