Open code423n4 opened 1 year ago
0xSorryNotSorry marked the issue as primary issue
ElliotFriedman marked the issue as sponsor disputed
Double entrypoint tokens such as SNX or TUSD are not supported in this implementation
Valid QA, since not mentioned in the documentation. I suggest that a governance manual is created with checks like this one.
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/MErc20.sol#L148-L153
Vulnerability details
Impact
sweepToken()
is designed to allow the market owner to withdraw any ERC20 token which might have ended up at MToken address. Underlying token must not be swept, thereforesweepToken()
ensures token is not underlying. However, this can be bypassed if the underlying token is a double-entrypoint token.Proof of Concept
Here it ensures that token address is different.
Double-entrypoint token has multiple addresses, but all the contracts operate on single storage. Examples of such tokens: TUSD (2.8B USD market cap), SNX (740M USD market cap), and other Synthetix tokens
Tools Used
Manual Review
Recommended Mitigation Steps
Check that underlying balance didn't change after transfer
Assessed type
Invalid Validation