Although the function _executeProposal in TemporalGovernor.sol executes .call with native ETH value, neither executeProposal nor fastTrackProposalExecution functions have payable function modifier. Consequently the transfer of ETH becomes impossible which would lead to undesirable events if a specific proposal which includes the transfer of native ETH funds is accepted.
TemporalGovernor.sol
function executeProposal(bytes memory VAA) public whenNotPaused {
_executeProposal(VAA, false);
}
TemporalGovernor.sol
function fastTrackProposalExecution(bytes memory VAA) external onlyOwner {
_executeProposal(VAA, true); /// override timestamp checks and execute
}
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L266
Vulnerability details
Impact
Although the function
_executeProposal
inTemporalGovernor.sol
executes.call
with native ETH value, neitherexecuteProposal
norfastTrackProposalExecution
functions have payable function modifier. Consequently the transfer of ETH becomes impossible which would lead to undesirable events if a specific proposal which includes the transfer of native ETH funds is accepted.Tools Used
Manual VS code
Recommended Mitigation Steps
Remove the opportunity for transferring ETH or add payable modifier.
Assessed type
call/delegatecall