Closed code423n4 closed 10 months ago
0xSorryNotSorry marked the issue as primary issue
ElliotFriedman marked the issue as sponsor acknowledged
alcueca marked the issue as satisfactory
alcueca marked the issue as selected for report
alcueca marked issue #67 as primary and marked this issue as a duplicate of 67
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L394-L424
Vulnerability details
Impact
The
Mtoken
markets configured for the respective collateral asset types can get deprecated due to various reasons associated with those assets. There should be functionality in theComptroller.liquidateBorrowAllowed
function to liquidate all the borrows in the accounts for deprecated markets.This functionality is present in the
Comptroller.liquidateBorrowAllowed
of thecompound
protocol, but is missing in theComptroller.liquidateBorrowAllowed
of the moonwell protocol.Since this
isDeprecated
functionality is missing the borrowed assets of the deprecatedMToken
will not able to be repaid after the deprecation.Following code snippet shows how the
isDeprecated
functionality is implemented inCompound.Comptroller.sol
.Proof of Concept
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Comptroller.sol#L394-L424
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to add this functionality and set the
deprecated
flag totrue
for the tokens which are going to be deprecated thus allowing the borrowed positions of the deprecated token to be immediately liquidated thus keeping the protocol stable and safe. TheisDeprecated
should be called inside theComptroller.liquidateBorrowAllowed
function to enable liquidation.Assessed type
Other