fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work
Proof of Concept
DefaultAccount Defined as follows:
DefaultAccount
The implementation of the default account abstraction. This is the code that is used by default for all addresses that are not in kernel space and have no contract deployed on them. This address:
Contains the minimal implementation of our account abstraction protocol. Note that it supports the built-in paymaster flows.
When anyone (except bootloader) calls/delegate calls it, it behaves in the same way as a call to an EOA, i.e. it always returns success = 1, returndatasize = 0 for calls from anyone except for the bootloader.
If there is no code for the address, the DefaultAccount #fallback method will be executed, which is compatible with the behavior of the mainnet
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Unitroller.sol#L136
Vulnerability details
Impact
fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work
Proof of Concept
DefaultAccount Defined as follows: DefaultAccount
The implementation of the default account abstraction. This is the code that is used by default for all addresses that are not in kernel space and have no contract deployed on them. This address:
Contains the minimal implementation of our account abstraction protocol. Note that it supports the built-in paymaster flows. When anyone (except bootloader) calls/delegate calls it, it behaves in the same way as a call to an EOA, i.e. it always returns success = 1, returndatasize = 0 for calls from anyone except for the bootloader.
If there is no code for the address, the DefaultAccount #fallback method will be executed, which is compatible with the behavior of the mainnet
But At present, fallback is not payable
Tools Used
Recommended Mitigation Steps
payable should be added
Assessed type
Payable