Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L344-L409
The function executeProposal is used with the wormhole bridge to execute proposals from different chains, but it doesn't check if the VAA processed is meant to be sent to that address.
executeProposal
As you can see it is specified in both queueProposal and executeProposal that is important that the VAA is processed only once and critically, intended for that contract https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L226 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L235 For queueProposal case this is correctly checked in this require statement https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L322 but there is not checks in the executeProposal proposals, which could lead to wrong assumptions, doing external calls with different values to random addresses in the case where the intended address is not TemporalGovernor.sol. This is especially dangerous fastTrackProposalExecution where checks like queueTime would pass, and the calls will be done immediately. This could also lead to loss of funds is value is meant to be sent with those calls.
queueProposal
TemporalGovernor.sol
fastTrackProposalExecution
queueTime
value
Manual review
Do the same checks in _executeProposal like in _queueProposal since you specify in the comments that it is critically to check this.
_executeProposal
_queueProposal
Governance
0xSorryNotSorry marked the issue as duplicate of #308
alcueca marked the issue as satisfactory
alcueca marked the issue as partial-50
alcueca changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L344-L409
Vulnerability details
Impact
The function
executeProposal
is used with the wormhole bridge to execute proposals from different chains, but it doesn't check if the VAA processed is meant to be sent to that address.Proof of Concept
As you can see it is specified in both
queueProposal
andexecuteProposal
that is important that the VAA is processed only once and critically, intended for that contract https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L226 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L235 ForqueueProposal
case this is correctly checked in this require statement https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L322 but there is not checks in theexecuteProposal
proposals, which could lead to wrong assumptions, doing external calls with different values to random addresses in the case where the intended address is notTemporalGovernor.sol
. This is especially dangerousfastTrackProposalExecution
where checks likequeueTime
would pass, and the calls will be done immediately. This could also lead to loss of funds isvalue
is meant to be sent with those calls.Tools Used
Manual review
Recommended Mitigation Steps
Do the same checks in
_executeProposal
like in_queueProposal
since you specify in the comments that it is critically to check this.Assessed type
Governance