[2023-Jul-Moonwell] Presorting

**Contest repo:** https://github.com/code-423n4/2023-07-moonwell **Findings repo:** https://github.com/code-423n4/2023-07-moonwell-findings/ **Judging by:** [Alcueca] (Discord: `alcueca`) **Pre-sorting by:** [sorryNotsorry](https://twitter.com/0xSorryNotSorry) (Discord: `0xsorrynotsorry`) # High Severity Primary Submissions (10) ## [[H-370] Any user can claim rewards infinitely from the market without respecting the accrued rewards time](https://github.com/code-423n4/2023-07-moonwell-findings/issues/370) ## [[H-347] MALICIOUS USER CAN PREVENT A BORROWER FROM ADDING LIQUIDITY TO THIER POSITION TO AVOID LIQUIDATION](https://github.com/code-423n4/2023-07-moonwell-findings/issues/347) ## [[H-267] Users positions can be directly liquidated when the admin changes the `collateralFactorMantissa` from a higher value to a lower value](https://github.com/code-423n4/2023-07-moonwell-findings/issues/267) ## [[H-227] liquidateBorrow() mTokens that do not enter the market can still be liquidated as collateral](https://github.com/code-423n4/2023-07-moonwell-findings/issues/227) ## [[H-118] Incorrect address is set as Wormhole Bridge, which breaks deploy](https://github.com/code-423n4/2023-07-moonwell-findings/issues/118) ## [[H-90] Incorrect getDerivedPriceThreeOracles() function per documentation](https://github.com/code-423n4/2023-07-moonwell-findings/issues/90) ## [[H-68] In Comptroller.sol, Some setter functions access control does not meet design per documentation](https://github.com/code-423n4/2023-07-moonwell-findings/issues/68) ## [[H-51] Malicious users can inflate their shares by minting, borrowing, and using borrowed funds to mint in a loop w/o increasing the underlying token balance of the mToken contract](https://github.com/code-423n4/2023-07-moonwell-findings/issues/51) ## [[H-21] supply/borrowIndex in rewardDistributor is not updated when mToken balance of a user is changed; user can easily front-run a reward accrual by depositing a lot of token to get more than his share of reward](https://github.com/code-423n4/2023-07-moonwell-findings/issues/21) ## [[H-4] Borrowing donated tokens to grief and then steal all the tokens in the protocol](https://github.com/code-423n4/2023-07-moonwell-findings/issues/4) # Medium Severity Primary Submissions (47) ## [[M-406] External visibility modifier on function that should be callable from address(this). Doesnt seem right.](https://github.com/code-423n4/2023-07-moonwell-findings/issues/406) ## [[M-404] getUnderlyingPrice() should return 0 when errored](https://github.com/code-423n4/2023-07-moonwell-findings/issues/404) ## [[M-377] The vulnerability in the `scalePrice` function is due to the lack of precision protection during division, potentially resulting in rounding errors and inaccurate scaled prices.](https://github.com/code-423n4/2023-07-moonwell-findings/issues/377) ## [[M-368] THERE IS NO FUNCTIONALITY TO LIQUIDATE THE `DEPRECATED` MTOKEN MARKETS](https://github.com/code-423n4/2023-07-moonwell-findings/issues/368) ## [[M-344] ## [M-07] ERC20 return values not checked](https://github.com/code-423n4/2023-07-moonwell-findings/issues/344) ## [[M-338] Inaccurate implementation of ECDSA creates signature malleability](https://github.com/code-423n4/2023-07-moonwell-findings/issues/338) ## [[M-326] No limit on the number of emission configs per MToken in `MultiRewardDistributor`](https://github.com/code-423n4/2023-07-moonwell-findings/issues/326) ## [[M-325] `excuteProposal` can fail due to Wormhole guardian change](https://github.com/code-423n4/2023-07-moonwell-findings/issues/325) ## [[M-321] `emissionToken` cannot be reused](https://github.com/code-423n4/2023-07-moonwell-findings/issues/321) ## [[M-320] malicious `emissionToken` could poison rewards for a market](https://github.com/code-423n4/2023-07-moonwell-findings/issues/320) ## [[M-318] `emissionConfigOwner` owner can DoS emission end time](https://github.com/code-423n4/2023-07-moonwell-findings/issues/318) ## [[M-315] only `guardian` can change `guardian`](https://github.com/code-423n4/2023-07-moonwell-findings/issues/315) ## [[M-312] same `emissionToken` on different markets can steal each others emissions](https://github.com/code-423n4/2023-07-moonwell-findings/issues/312) ## [[M-308] `fastTrackProposalExecution` doesn't check `intendedRecipient`](https://github.com/code-423n4/2023-07-moonwell-findings/issues/308) ## [[M-304] ChainlinkOracle assumes that the assets of all USD denominated pair has 18 decimal places](https://github.com/code-423n4/2023-07-moonwell-findings/issues/304) ## [[M-290] Improper use of the approve function can lead to front running attacks.](https://github.com/code-423n4/2023-07-moonwell-findings/issues/290) ## [[M-270] `getPrice` will revert for tokens with more than 18 decimals](https://github.com/code-423n4/2023-07-moonwell-findings/issues/270) ## [[M-268] Proposals which intend to send native tokens to target addresses can't be executed](https://github.com/code-423n4/2023-07-moonwell-findings/issues/268) ## [[M-248] If all total supply of MToken available for flash loan, user can get profit by redeem and mint again.](https://github.com/code-423n4/2023-07-moonwell-findings/issues/248) ## [[M-245] `TemporalGovernor.fastTrackProposalExecution` should add `whenPaused`](https://github.com/code-423n4/2023-07-moonwell-findings/issues/245) ## [[M-239] User can prevent liquidation by enter another market that have low supply and borrow activity](https://github.com/code-423n4/2023-07-moonwell-findings/issues/239) ## [[M-232] Granting guardians the right to pause can break the contract](https://github.com/code-423n4/2023-07-moonwell-findings/issues/232) ## [[M-228] sendReward incorrectly handling claims when rewards accrued bigger than the current token holding, punishing big rewards holders](https://github.com/code-423n4/2023-07-moonwell-findings/issues/228) ## [[M-220] There is no way to absorb the excess cash into reserves](https://github.com/code-423n4/2023-07-moonwell-findings/issues/220) ## [[M-218] `MultiRewardDistributor.disburseSupplierRewardsInternal()` does not follow CEI pattern](https://github.com/code-423n4/2023-07-moonwell-findings/issues/218) ## [[M-217] `supplyCapGuardian` and `borrowCapGuardian` can abuse caps to prevent users from entering markets](https://github.com/code-423n4/2023-07-moonwell-findings/issues/217) ## [[M-204] Wrong calculation of cash available for borrow and redeem](https://github.com/code-423n4/2023-07-moonwell-findings/issues/204) ## [[M-187] _setCloseFactor is missing importan checks in comptroller contract](https://github.com/code-423n4/2023-07-moonwell-findings/issues/187) ## [[M-185] Missing approve 0 when calling approve function may revert with certain types of tokens](https://github.com/code-423n4/2023-07-moonwell-findings/issues/185) ## [[M-174] the `_addEmissionConfig` function did not allow to set the default emission value for both borrower and supplier](https://github.com/code-423n4/2023-07-moonwell-findings/issues/174) ## [[M-170] mintAllowed Fuction in Comptroller could fail](https://github.com/code-423n4/2023-07-moonwell-findings/issues/170) ## [[M-143] Initial deploy won't succeed because of too high `initialMintAmount` for USDC market](https://github.com/code-423n4/2023-07-moonwell-findings/issues/143) ## [[M-137] MErc20.mint() & redeem() are functionally swaps which expose users to unlimited slippage](https://github.com/code-423n4/2023-07-moonwell-findings/issues/137) ## [[M-135] Possible Incorrect utilizationRate](https://github.com/code-423n4/2023-07-moonwell-findings/issues/135) ## [[M-134] Borrower can cause a DoS by frontrunning a liquidation and repaying as low as 1 wei of the current debt](https://github.com/code-423n4/2023-07-moonwell-findings/issues/134) ## [[M-124] If the price of a market token goes to zero, the protocol could become insolvent](https://github.com/code-423n4/2023-07-moonwell-findings/issues/124) ## [[M-114] Incorrect chainId of Base in deploy script will force redeployment](https://github.com/code-423n4/2023-07-moonwell-findings/issues/114) ## [[M-108] Precision Loss in Coomptroller::liquidateCalculateSeizeTokens](https://github.com/code-423n4/2023-07-moonwell-findings/issues/108) ## [[M-95] When `Comptroller.sol#liquidateBorrowAllowed()` is called from `MErc20.sol#liquidateBorrow()`, the `actualRepayAmount` should be passed as parameter rather than `repayAmount`.](https://github.com/code-423n4/2023-07-moonwell-findings/issues/95) ## [[M-92] MToken May be Inflation Attack](https://github.com/code-423n4/2023-07-moonwell-findings/issues/92) ## [[M-67] Its not possible to liquidate deprecated market](https://github.com/code-423n4/2023-07-moonwell-findings/issues/67) ## [[M-62] Double-entrypoint underlying token allows market owner to withdraw underlying collateral without repaying debt](https://github.com/code-423n4/2023-07-moonwell-findings/issues/62) ## [[M-58] Borrower and Supplier rewards accrued could be lost when Admin replaces the reward distributor with a new reward distributor](https://github.com/code-423n4/2023-07-moonwell-findings/issues/58) ## [[M-27] Expediting a queued transaction may not work due to faulty implementation of the _queueProposal function in TemporalGovernor.sol](https://github.com/code-423n4/2023-07-moonwell-findings/issues/27) ## [[M-23] interestRateModel can cause update to historical accrual of MToken](https://github.com/code-423n4/2023-07-moonwell-findings/issues/23) ## [[M-19] a single emissionCap is not suitable for different tokens reward if they have different underlying decimals](https://github.com/code-423n4/2023-07-moonwell-findings/issues/19) ## [[M-18] borrowRateMaxMantissa should be specific to the chain protocol is being deployed to](https://github.com/code-423n4/2023-07-moonwell-findings/issues/18)