code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MToken.sol#L363

Vulnerability details

Impact

Incorrect exchange rate values

Proof of Concept

the exchangeRateStoredInternal function is missing validation on the Exp mantissa size before creating the exchange rate Exp. This could lead to overflow. This would make the mantissa of exchangeRate equal to 2^128 * 1 which overflows the int128 range and causes incorrect state Before passing cashPlusBorrowsMinusReserves into getExp(), there should be a validation check that it is within the maximum value that can be represented by an Exp mantissa.

Tools Used

Manual

Recommended Mitigation Steps

add validation on cashPlusBorrowsMinusReserves before passing into getExp

Assessed type

Other

0xSorryNotSorry commented 1 year ago

The function utilizes CarefulMath's mulUint function which checks for the integer overflows.


    function mulUInt(uint a, uint b) internal pure returns (MathError, uint) {
        if (a == 0) {
            return (MathError.NO_ERROR, 0);
        }

        uint c = a * b;

        if (c / a != b) {
            return (MathError.INTEGER_OVERFLOW, 0);
        } else {
            return (MathError.NO_ERROR, c);
        }
    }

Invalid assumption.

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

alcueca marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-07-moonwell-findings

Overflow/underflow when creating the exchange rate Exp. #386