search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

None of the functions calling `_executeProposal` function are payable #275

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266

Vulnerability details

Impact

Although the function _executeProposal in TemporalGovernor.sol executes .call with native ETH value, neither executeProposal nor fastTrackProposalExecution functions have payable function modifier. Consequently the transfer of ETH becomes impossible which would lead to undesirable events if a specific proposal which includes the transfer of native ETH funds is accepted.

TemporalGovernor.sol

function executeProposal(bytes memory VAA) public whenNotPaused {
   _executeProposal(VAA, false);
}
TemporalGovernor.sol

function fastTrackProposalExecution(bytes memory VAA) external onlyOwner {
    _executeProposal(VAA, true); /// override timestamp checks and execute
}
TemporalGovernor.sol

(bool success, bytes memory returnData) = target.call{value: value}(
    data
);

Tools Used

Manual VS code

Recommended Mitigation Steps

Remove the opportunity for transferring ETH or add payable modifier.

Assessed type

call/delegatecall

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #268

c4-judge commented 1 year ago

alcueca marked the issue as satisfactory

c4-judge commented 1 year ago

alcueca marked the issue as partial-50