Closed code423n4 closed 1 year ago
While the submission falls into OOS --> [M‑04] The owner is a single point of failure and a centralization risk category, relaying the submission to the Sponsors due to proposed mitigations and the quality of the report.
0xSorryNotSorry marked the issue as high quality report
0xSorryNotSorry marked the issue as primary issue
ofc this is an issue, but admin is trusted, so this isn't a finding that should receive a payout. if you say admin is untrusted, they can just rug by upgrading to a malicious smart contract system for all mToken logic contracts and then pull all the funds for themselves
ElliotFriedman marked the issue as sponsor disputed
ElliotFriedman marked the issue as disagree with severity
This behaviour is common to all collateralized lending platforms, Maker, Aave, Compound, etc.
Dropping the collateral factor is a governance action, and as such it will usually be delayed by a Timelock. Users should watch independently about the governance changes that are about to impact their assets, but usally governors communicate these changes to avoid reputational damage.
Despite the high quality of the report, I'm sorry to say that there is nothing here.
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L707-L740
Vulnerability details
Impact
Comptroller
contract :Market.collateralFactorMantissa
mltiplier represents the maximum underlying asset amount the depositors can borrow against their collateral in a market,for example:if it is set to 0.9;then 90% of collateral value is allowed to be borrowed.collateralFactorMantissa
value is initially set to zero when the admin list a market (by _supportMarket function)_setCollateralFactor
function) to any value between 0 and 0.9.Comptroller
contract to enable the user to increase their collaterals/health before being dirctly exposed to liquidation.Market.collateralFactorMantissa
is set to a higher value without having the time to enhance their positions.Proof of Concept
The test is copied from
testRewards()
function inComptroller.t.sol
file & modified to demonstrate the vulnerability in details.The
FaucetToken.sol
helper test contract is modified by addingmint()
function to theStandardToken
contract,this token is going to be used as an underlying asset for the market:test/unit/Comptroller.t.sol
file; where the following scenario is set:Tools Used
Manual Testing & Foundry.
Recommended Mitigation Steps
This can be mitigated by either one of the two options:
Option#1: Set a
gracePeriod
for each market, and this value is updated whenever the admin changes theMarket.collateralFactorMantissa
(gracePeriod=block.timestamp + 7 days
), so that when a keeper tries to liquidate a position; it will check if thegracePeriod
is passed or not.Option#2: record the
Market.collateralFactorMantissa
with eachBorrowSnapshot
, so that users can be liquidated based on thecollateralFactorMantissa
they have borrowed against,not the new one.Assessed type
Context