0xSorryNotSorry
commented
11 months ago OOS --> [L‑02] Empty receive()/payable fallback() function does not authorize requests
Closed code423n4 closed 11 months ago
0xSorryNotSorry
commented
11 months ago OOS --> [L‑02] Empty receive()/payable fallback() function does not authorize requests
c4-pre-sort
commented
11 months ago 0xSorryNotSorry marked the issue as low quality report
c4-judge
commented
11 months ago alcueca marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Unitroller.sol#L136
Vulnerability details
Impact
fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work
Proof of Concept
DefaultAccount Defined as follows: DefaultAccount
The implementation of the default account abstraction. This is the code that is used by default for all addresses that are not in kernel space and have no contract deployed on them. This address:
Contains the minimal implementation of our account abstraction protocol. Note that it supports the built-in paymaster flows. When anyone (except bootloader) calls/delegate calls it, it behaves in the same way as a call to an EOA, i.e. it always returns success = 1, returndatasize = 0 for calls from anyone except for the bootloader.
If there is no code for the address, the DefaultAccount #fallback method will be executed, which is compatible with the behavior of the mainnet
But At present, fallback is not payable
Tools Used
Recommended Mitigation Steps
payable should be added
Assessed type
Payable