Closed code423n4 closed 1 year ago
updateAndDistributeSupplierRewardsForToken
calls rewardDistributor
's updateMarketSupplyIndexAndDisburseSupplierRewards
Invalid assumption.
0xSorryNotSorry marked the issue as low quality report
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L483-L486
Vulnerability details
Impact
the transferAllowed function doesn't update the UpdateCompSupplyIndex(MToken) if you look at the Comptroller.sol in original codebase of Compound it updates the UpdateCompSupplyIndex(CToken) before distributeSupplierComp but in moonwell codebase, its ignored at all.
Proof of Concept
loot at the Original Codebase of compound its updating
now look at the MoonWell fork which is ignored updateCompSupplyIndex
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Comptroller.sol#L483-L486
Tools Used
vs code
Recommended Mitigation Steps
Assessed type
Other