Open code423n4 opened 1 year ago
The issue is well demonstrated, properly formatted, contains a coded POC. Marking as HQ.
0xSorryNotSorry marked the issue as high quality report
0xSorryNotSorry marked the issue as primary issue
good finding!
ElliotFriedman marked the issue as sponsor confirmed
alcueca marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L237-L239 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L400-L402
Vulnerability details
Impact
TemporalGovernor
contract: any verified action approval (VAA)/proposal can be executed by anyone if it has been queued and passed the time delay.TemporalGovernor
contract doesn't have any balance, as there's noreceive()
or payable functions to receive the funds that will be sent to the proposal's target address.vm.payload
) will not be executed since thetarget.call{value:value}(data)
will revert.Proof of Concept
Line 400-402
testExecuteSucceeds
test inTemporalGovernorExec.t.sol
file,and modified to demonstrate the issue; where a proposal is set to send an EOA receiverAddress a value of 1 ether, but will revert due to lack of funds (follow the comments in the test):Tools Used
Manual Testing & Foundry.
Recommended Mitigation Steps
Add
receive()
function to theTemporalGovernor
contract; so that it can receive funds (native tokens) to be sent with proposals.Assessed type
ETH-Transfer