Closed code423n4 closed 10 months ago
Then when a legitimate user makes their deposit, the mintTokens value for the user will be reduced to less than 1 and rounded down to 0. Consequently, the user will receive 0 MTokens against their deposit, and the entire supply of MTokens will be held by the attacker.
Above statement requires further proof which was not provided in this submission. Marking as LQ.
0xSorryNotSorry marked the issue as low quality report
ElliotFriedman marked the issue as sponsor disputed
alcueca changed the severity to 2 (Med Risk)
alcueca marked the issue as duplicate of #92
alcueca marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MToken.sol#L340-L370
Vulnerability details
Impact
A well know inflation attack/first deposit (mint) bug. The attacker can steal assets from other user's deposit (mint).
Proof of Concept
The Moonwell project is a fork from the Compound Protocol. The MToken (the MToken on Compound) represents a yield-bearing asset that is generated when a user deposits underlying tokens. The number of MTokens minted for a user depends on the amount of underlying tokens they are depositing.
The MToken contract calculates the amount of MTokens to be minted in two scenarios:
Below is the relevant portion of the MToken code
The function contains a critical vulnerability that can be exploited to steal funds from initial depositors of a newly deployed MToken contract.
The vulnerability arises from the fact that the exchange rate of the MToken is determined by the ratio of the MToken's totalSupply and the underlying token balance of the MToken contract. An attacker can take advantage of this to manipulate the exchange rate.
The attack as follow: After the MToken has been deployed and added to the lending protocol, the attacker mints the smallest possible amount of MTokens. The attacker then performs a straightforward transfer of underlying tokens to the MToken contract, artificially inflating the value of underlying.balanceOf(MToken). Then when a legitimate user makes their deposit, the mintTokens value for the user will be reduced to less than 1 and rounded down to 0. Consequently, the user will receive 0 MTokens against their deposit, and the entire supply of MTokens will be held by the attacker.
As a result, the attacker can redeem their MToken balance for the entire underlying token balance of the MToken contract. This process can be repeated to steal subsequent users' deposits.
Some reference of this issues: https://mixbytes.io/blog/overview-of-the-inflation-attack https://code4rena.com/reports/2023-01-ondo#m-02-first-deposit-bug https://github.com/code-423n4/2023-03-asymmetry-findings/issues/715
Tools Used
Manual analysis
Recommended Mitigation Steps
Need to enforce a minimum deposit that can't be withdrawn, for instance mint some of the intial amount to the zero address
Assessed type
Token-Transfer