search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

the transferAllowed function doesnt update the UpdateCompSupplyIndex #286

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L483-L486

Vulnerability details

Impact

the transferAllowed function doesn't update the UpdateCompSupplyIndex(MToken) if you look at the Comptroller.sol in original codebase of Compound it updates the UpdateCompSupplyIndex(CToken) before distributeSupplierComp but in moonwell codebase, its ignored at all.

Proof of Concept

loot at the Original Codebase of compound its updating 

        // Keep the flywheel moving
        updateCompSupplyIndex(cToken);
        distributeSupplierComp(cToken, src);
        distributeSupplierComp(cToken, dst);

now look at the MoonWell fork which is ignored updateCompSupplyIndex

    // Keep the flywheel moving
        updateAndDistributeSupplierRewardsForToken(mToken, src);
        updateAndDistributeSupplierRewardsForToken(mToken, dst);

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L483-L486

Tools Used

vs code

Recommended Mitigation Steps

Assessed type

Other

0xSorryNotSorry commented 1 year ago

updateAndDistributeSupplierRewardsForTokencalls rewardDistributor's updateMarketSupplyIndexAndDisburseSupplierRewards

Invalid assumption.

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid