Open code423n4 opened 12 months ago
0xSorryNotSorry marked the issue as primary issue
True, but the reward stream owners are trusted members, so it is assumed they will not act maliciously
This is working as designed:
ElliotFriedman marked the issue as disagree with severity
this should be an informational finding
ElliotFriedman marked the issue as sponsor acknowledged
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L382-L464
Vulnerability details
Description
MultiRewardDistributor
supports multiple rewards per market. Each of these are configured in_addEmissionConfig
by the admin (governance throughTemporalGovernor
).There there is a check that there isn't an already existing
emissionConfig
for the sameemissionToken
in the samemarket
.It is also mentioned in the contract documentation that there is a hard rule with only one
emissionToken
per market:https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L33
It also mentions a risk with using native token as
emissionToken
(and incorrectly says its supported):https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L28-L29
The issue here is that this risk is not limited to just native token. This is a risk for any token. Since all balances in the
MultiRewardDistributor
are shared, it's just one big pool. IfemissionConfig
s in different markets shareemissionToken
they can steal from each others emissions.Impact
If two markets share
emissionToken
, one market owner can increase theirsupply/borrowEmissionsPerSec
to maximum and quickly deplete the other markets emissions.This requires governance to approve the new
emissionConfig
for an already existingemissionToken
, albeit in another market. It also requires the emission config owner to be malicious.It is however only mentioned in documentation and guarded against in code that the same emission token cannot appear twice in the same market. It is however as shown very dangerous if it appears in any other market as well.
Proof of Concept
Test in
MultiRewardDistributor.t.sol
,MultiRewardSupplySideDistributorUnitTest
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider in addition to not allowing the same
emissionToken
appearing twice in the samemarketConfig
also not allowing the sameemissionToken
to appear in different markets.Or, have book keeping on which market has which amount of
emissionToken
so that one market cannot get another markets emissions.Assessed type
Error