Open code423n4 opened 12 months ago
0xSorryNotSorry marked the issue as primary issue
emission creator (comptroller admin) and emission owners are trusted, it is assumed they will not add any poison reward tokens.
ElliotFriedman marked the issue as sponsor disputed
@ElliotFriedman, I'm not sure yet if anyone else has reported this, but the emissions token doesn't need to be even suspicious. USDC and USDT can blacklist users. If you use those tokens as emissions and any of your rewards holders get blacklisted, this issue will get triggered.
I'm marking this as valid medium at 50% payout.
alcueca marked the issue as satisfactory
alcueca marked the issue as partial-50
alcueca marked the issue as selected for report
I'm not sure yet if anyone else has reported this, but the emissions token doesn't need to be even suspicious. USDC and USDT can blacklist users. If you use those tokens as emissions and any of your rewards holders get blacklisted, this issue will get triggered.
I still dispute the validity of this finding. If a user's wallet got blacklisted by Circle, it is true that the transfer would revert, but removing the emissionconfig is not a solution to this. We can't and won't solve for inappropriate user activity by denying all users the ability to claim USDC rewards. This is working as designed.
The issue exists despite the quality of the mitigations proposed by the warden. The sponsor may choose to develop a mitigation of its own, or to acknowledge the issue and not fix it.
Given that this issue will impact only individual users, a fix might not be necessary, depending on the sponsor priorities.
If it would be me, I would implement a separate set of external reward disbursement functions where the markets for which rewards are disbursed are passed on as a parameter, so that Usdc-blacklisted users can still receive rewards for other markets.
Since tokens (EmissionConfig) cannot be added except by admin (the DAO), I still dispute the validity of the finding, or at least the severity. We have to be reasonable in our assumptions and the assumption that the admin will add a malicious/censorable token can't really be a precursor to a valid finding. The admin can directly remove funds from the contract with removeReserves, but we wouldn't consider a finding like that valid.
@lyoungblood, USDC and USDT are both censorable, and it sounds pretty reasonable that would be used as emission tokens.
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L1232-L1237
Vulnerability details
Impact
When distributing rewards for a market, each
emissionConfig
is looped over and sent rewards for.disburseBorrowerRewardsInternal
as an example, the same holds true fordisburseSupplierRewardsInternal
:https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L1147-L1247
If one transfer reverts the whole transaction fails and no rewards will be paid out for this user. Hence if there is a malicious token that would revert on transfer it would cause no rewards to paid out. As long as there is some rewards accrued for the malicious
emissionConfig
. The users with already unclaimed rewards for thisemissionConfig
would have their rewards permanently locked.The
admin
(TemporalGovernor
) ofMultiRewardsDistributor
could update the reward speed for the token to0
but that would just prevent further damage from being done.Upgradeable tokens aren't unusual and hence the token might seem harmless to begin with but be upgraded to a malicious implementation that reverts on transfer.
Proof of Concept
Test in
MultiRewardDistributor.t.sol
,MultiRewardSupplySideDistributorUnitTest
, most of the test is copied fromtestSupplierHappyPath
with the addition ofMaliciousToken
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding a way for
admin
to remove anemissionConfig
.Alternatively, the reward transfer could be wrapped in a
try
/catch
and returning_amount
incatch
. Be mindful to only allow a certain amount of gas to the transfer then as otherwise the same attack works with consuming all gas available.Assessed type
DoS