search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

deploy uses same `initialMintAmount` for all tokens #322

Closed code423n4 closed 11 months ago

code423n4 commented 12 months ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/test/proposals/mips/mip00.sol#L351-L367

Vulnerability details

Impact

mip00.sol explains the setup of the whole system. build contains the final configuration for the deployment.

There each MToken is unpaused and an initial mint is done to prevent exchange rate manipulation.

The issue is that each token uses the same initialMintAmount. In the comments ETH and USDC are mentioned as tokens. Since these have different decimals the real value used for minting will be very different.

initialMintAmount is 1 ether in the base contract Configs.sol. Since it is unlikely that the deploying contract will have 1e18 USDC ($1 trillion) the build part of the setup and configuration will likely fail. Even if this isn't the actual initial mint amount there is no number that would fit both 6 decimal USDC and 18 decimal ETH at the same time.

Proof of Concept

https://github.com/code-423n4/2023-07-moonwell/blob/main/test/proposals/mips/mip00.sol#L334-L379

File: test/proposals/mips/mip00.sol

                // each token config is looped over
334:            for (uint256 i = 0; i < cTokenConfigs.length; i++) {
335:                Configs.CTokenConfiguration memory config = cTokenConfigs[i];
336:
337:                address cTokenAddress = addresses.getAddress(
338:                    config.addressesString
339:                );

                    // ... unpause mint

351:                /// Approvals
352:                _pushCrossChainAction(
353:                    config.tokenAddress,
354:                    abi.encodeWithSignature(
355:                        "approve(address,uint256)",
356:                        cTokenAddress,
357:                        initialMintAmount // <-- same `initialMintAmount` for all tokens
358:                    ),
359:                    "Approve underlying token to be spent by market"
360:                );
361:
362:                /// Initialize markets
363:                _pushCrossChainAction(
364:                    cTokenAddress,
365:                    abi.encodeWithSignature("mint(uint256)", initialMintAmount), // <-- same `initialMintAmount` for all tokens
366:                    "Initialize token market to prevent exploit"
367:                );

                    // ... set collateral factor
379:            }

initialMintAmount can be found to be 1 ether in base contract Configs.sol:

https://github.com/code-423n4/2023-07-moonwell/blob/main/test/proposals/Configs.sol#L54-L55

File: test/proposals/Configs.sol

54:    /// @notice initial mToken mint amount
55:    uint256 public constant initialMintAmount = 1 ether;

Tools Used

Manual audit

Recommended Mitigation Steps

Consider adding a field in the configuration for initialMintAmount for each token.

Assessed type

ERC20

c4-pre-sort commented 11 months ago

0xSorryNotSorry marked the issue as duplicate of #143

c4-judge commented 11 months ago

alcueca marked the issue as satisfactory