Cross chain proposals can contain instructions to send native value. TemporalGovernor then sends this value when doing the call to the target contract:
The issue is however that TemporalGovernor has no way to receive value so it will revert since there will not be any value in the contract.
Impact
If a proposal needed requires native value, TemporalGovernor will not be able to execute it, thus impeding on the functionality of the contract. Unless extraordinary methods (SELFDESTRUCT/SENDALL) are taken to fund the contract.
Proof of Concept
Test in TemporalGovernorExec.t.sol:
// to show it doesn't fail on transferring to `this`
receive() external payable {}
function testExecuteProposalWithValue() public {
vm.warp(1); /// queue at 0 to enable testing of message already executed path
address[] memory targets = new address[](1);
targets[0] = address(this);
uint256[] memory values = new uint256[](1);
values[0] = 1000;
bytes[] memory payloads = new bytes[](1);
/// to be unbundled by the temporal governor
bytes memory payload = abi.encode(
address(governor),
targets,
values,
payloads
);
mockCore.setStorage(
true,
trustedChainid,
governor.addressToBytes(admin),
"reeeeeee",
payload
);
governor.queueProposal("");
bytes32 hash = keccak256(abi.encodePacked(""));
{
(bool executed, uint248 queueTime) = governor.queuedTransactions(
hash
);
assertEq(queueTime, block.timestamp);
assertFalse(executed);
}
vm.warp(block.timestamp + proposalDelay);
// EvmError: OutOfFund
vm.expectRevert();
governor.executeProposal("");
// revert no fallback
vm.deal(address(this),1000);
vm.expectRevert();
payable(address(governor)).transfer(1000);
}
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400-L402
Vulnerability details
Description
Cross chain proposals can contain instructions to send native value.
TemporalGovernor
then sends this value when doing the call to the target contract:https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L400-L402
The issue is however that
TemporalGovernor
has no way to receive value so it will revert since there will not be any value in the contract.Impact
If a proposal needed requires native value,
TemporalGovernor
will not be able to execute it, thus impeding on the functionality of the contract. Unless extraordinary methods (SELFDESTRUCT
/SENDALL
) are taken to fund the contract.Proof of Concept
Test in
TemporalGovernorExec.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding a
receive
function.Assessed type
ETH-Transfer