Open code423n4 opened 12 months ago
0xSorryNotSorry marked the issue as primary issue
emission config owners are trusted, so do not agree with this being an issue
ElliotFriedman marked the issue as sponsor disputed
Valid as QA, I would just put in the docs to be careful not to set endless emissions by mistake.
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L789-L792
Vulnerability details
Impact
the
emissionConfigOwner
has the ability to manage emission speed and end time of emissions.When changing end time there is a check that the new end time is further in the future than the current:
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L789-L792
_endTime
isuint256
so theemissionConfigOwner
could set the time totype(uint256).max
. Even ifadmin
(comptroller admin) changes the owner of the emissionConfig there is no way to lower the end time as any update is required to pass this check.This could be done to grief by an
owner
that is being replaced as it would require micromanagement of the speed to manage emissions. Otherwise emissions will never end and can reach un-payable payout amounts.Proof of Concept
Test in
MultiRewardDistributor.t.sol
,MultiRewardDistributorCommonUnitTest
:Tools Used
Manual audit.
Recommended Mitigation Steps
Consider removing the check that
_newEndTime > currentEndTime
. Or add a way to remove aemissionConfiguration
Assessed type
DoS