search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

`emissionConfigOwner` owner can DoS emission end time #318

Open code423n4 opened 12 months ago

code423n4 commented 12 months ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L789-L792

Vulnerability details

Impact

the emissionConfigOwner has the ability to manage emission speed and end time of emissions.

When changing end time there is a check that the new end time is further in the future than the current:

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L789-L792

File: MultiRewardDistributor/MultiRewardDistributor.sol

789:        require(
790:            _newEndTime > currentEndTime,
791:            "_newEndTime MUST be > currentEndTime"
792:        );

_endTime is uint256 so the emissionConfigOwner could set the time to type(uint256).max. Even if admin (comptroller admin) changes the owner of the emissionConfig there is no way to lower the end time as any update is required to pass this check.

This could be done to grief by an owner that is being replaced as it would require micromanagement of the speed to manage emissions. Otherwise emissions will never end and can reach un-payable payout amounts.

Proof of Concept

Test in MultiRewardDistributor.t.sol, MultiRewardDistributorCommonUnitTest:

    function testEndTimeMax() public {
        distributor._addEmissionConfig(
            mToken,
            address(this),
            address(emissionToken),
            0.5e18,
            0.5e18,
            block.timestamp + 365 days
        );

        // end time set to max value
        distributor._updateEndTime(
            mToken,
            address(emissionToken),
            type(uint256).max
        );

        // cannot be changed back
        vm.expectRevert("_newEndTime MUST be > currentEndTime");
        distributor._updateEndTime(
            mToken,
            address(emissionToken),
            block.timestamp + 365 days
        );
    }

Tools Used

Manual audit.

Recommended Mitigation Steps

Consider removing the check that _newEndTime > currentEndTime. Or add a way to remove a emissionConfiguration

Assessed type

DoS

c4-pre-sort commented 11 months ago

0xSorryNotSorry marked the issue as primary issue

ElliotFriedman commented 11 months ago

emission config owners are trusted, so do not agree with this being an issue

c4-sponsor commented 11 months ago

ElliotFriedman marked the issue as sponsor disputed

alcueca commented 11 months ago

Valid as QA, I would just put in the docs to be careful not to set endless emissions by mistake.

c4-judge commented 11 months ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

alcueca marked the issue as grade-a