search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

Avoidable Multiplication Overflow Error could prevent execution of compulsory code executions causing DOS #403

Open code423n4 opened 11 months ago

code423n4 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L848 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L892

Vulnerability details

Impact

Avoidable Multiplication Overflow Error could prevent execution of compulsory code executions causing denial of Service when necessary code needs to be executed but due preventable over flow error it cant be executed

Proof of Concept

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L848 https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L892

 848.     uint256 supplierDelta = mul_(_supplierTokens, deltaIndex);
...
 892.     uint256 supplierDelta = mul_(_BorrowerTokens, deltaIndex);

Tools Used

Solidity,Hardhat

Recommended Mitigation Steps

division in fragment should prevent this

 function mul_(Double memory a, Double memory b) pure internal returns (Double memory) {
   -     return Double({mantissa: mul_(a.mantissa, b.mantissa) / doubleScale});
   +    return Double({mantissa: mul_(a.mantissa, b.mantissa/expScale) / expScale});
    }

Assessed type

DoS

0xSorryNotSorry commented 11 months ago

Technically valid but unrealistic. The values should be at least 2**128 each.

Could be QA.

c4-pre-sort commented 11 months ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 11 months ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

alcueca marked the issue as grade-b