search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

The project's reputation and user funds can be affected if a clear invariant is not met #346

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/IRModels/JumpRateModel.sol#L20

Vulnerability details

Vulnerability details

Impact

The protocol may not work as expected in years that are not 365 days long, which could lead to a loss of confidence in the protocol. In fact, the next year is one of those years (leap year).

Furthermore, defining it as a constant in the contract is an invariant that can clearly lead to errors in the protocol.

Proof of Concept

JumpRateModel.sol

20:  uint public constant timestampsPerYear = 60 * 60 * 24 * 365;

Tools Used

Manual review

Recommended Mitigation Steps

The variable should not be constants, and there should be additional measures in case a year has 366 days like the next year will.

Assessed type

Other

0xSorryNotSorry commented 1 year ago

OOS --> [L‑17] A year is not always 365 days

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid