Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L400-L402
The contract TemporalGovernor.sol is used to queue and execute proposals on other chains with data and values, but that is not possible since the contract can't receive native tokens.
TemporalGovernor.sol
As you can see the function executeProposal and fastTrackProposalExecution are not payable https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L266 and the contract doesn't have any receive function, nor the contracts that it inherits, so any time the _executeProposal would be called with any of the values array value greater than 0, the transaction would revert because there are no native funds in the contract to be transferred.
executeProposal
fastTrackProposalExecution
_executeProposal
values
Manual review
Implement a receive function or set any function in the contract payable to be able to receive native tokens.
receive
payable
ETH-Transfer
0xSorryNotSorry marked the issue as duplicate of #268
alcueca marked the issue as satisfactory
alcueca marked the issue as partial-50
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L400-L402
Vulnerability details
Impact
The contract
TemporalGovernor.sol
is used to queue and execute proposals on other chains with data and values, but that is not possible since the contract can't receive native tokens.Proof of Concept
As you can see the function
executeProposal
andfastTrackProposalExecution
are not payable https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L237 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L266 and the contract doesn't have any receive function, nor the contracts that it inherits, so any time the_executeProposal
would be called with any of thevalues
array value greater than 0, the transaction would revert because there are no native funds in the contract to be transferred.Tools Used
Manual review
Recommended Mitigation Steps
Implement a
receive
function or set any function in the contractpayable
to be able to receive native tokens.Assessed type
ETH-Transfer