Closed code423n4 closed 1 year ago
The function overloading is only called once for the uint
params and ends with;
function sub_(uint a, uint b, string memory errorMessage) pure internal returns (uint) {
require(b <= a, errorMessage);
return a - b;
}
However, the way the sub_ function is implemented, it will cause an infinite loop due to the recursive call to itself, which will throw an out of gas error and any gas used will be lost.
Thus, the above statement requires more proof.
0xSorryNotSorry marked the issue as low quality report
alcueca marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L912
Vulnerability details
Impact
Recursive calls from
calculateNewIndex
inMultiRewardDistributor
will result in an infinite loop and out of gas errors, preventing tokens from being minted and rewards being sent to some users asdisburseSupplierRewardsInternal
will not be called.Proof of Concept
Summarizing the interactions that occur when a user calls mint:
MToken -> Comptroller -> MultiRewardDistributor -> MToken
When calculating a new index in function
calculateNewIndex
, there is a call to an internal sub_ function, passing inblockTimestamp
and_currentTimestamp
However, the way the sub_ function is implemented, it will cause an infinite loop due to the recursive call to itself, which will throw an out of gas error and any gas used will be lost.
Tools Used
Manual Review
Recommended Mitigation Steps
I would recommend adding a check to the sub_ function that prevents the recursive call when the condition is not met.
This is in line with the safeMath library implementation. (https://github.com/ConsenSysMesh/openzeppelin-solidity/blob/master/contracts/math/SafeMath.sol)
The same issue is existential in the mul, div and add_ functions within the function flow of
getOutstandingRewardsForUser
, where recursive calls are made.Where it is recommended to update the implementations in ExponentialNoError to the following:
Assessed type
Under/Overflow