Closed code423n4 closed 1 year ago
The function utilizes CarefulMath's mulUint
function which checks for the integer overflows.
function mulUInt(uint a, uint b) internal pure returns (MathError, uint) {
if (a == 0) {
return (MathError.NO_ERROR, 0);
}
uint c = a * b;
if (c / a != b) {
return (MathError.INTEGER_OVERFLOW, 0);
} else {
return (MathError.NO_ERROR, c);
}
}
Invalid assumption.
0xSorryNotSorry marked the issue as low quality report
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MToken.sol#L363
Vulnerability details
Impact
Incorrect exchange rate values
Proof of Concept
the exchangeRateStoredInternal function is missing validation on the Exp mantissa size before creating the exchange rate Exp. This could lead to overflow. This would make the mantissa of exchangeRate equal to 2^128 * 1 which overflows the int128 range and causes incorrect state Before passing cashPlusBorrowsMinusReserves into getExp(), there should be a validation check that it is within the maximum value that can be represented by an Exp mantissa.
Tools Used
Manual
Recommended Mitigation Steps
add validation on cashPlusBorrowsMinusReserves before passing into getExp
Assessed type
Other