search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

Comparison between Raw token amount and WAD #124

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In the Insurance.withdraw(amount) function we are requiring balance >= amount. The problem is that amount is a WAD number, whereas balance is a raw token amount. This works as long as the token decimals are 18, but a future token implementation can cause problems.

Proof of Concept

https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/Insurance.sol#L77

Tools Used

Manual analysis.

Recommended Mitigation Steps

Make an appropriate conversion before comparing.

raymogg commented 3 years ago

You'll see on https://github.com/code-423n4/2021-06-tracer/blob/74e720ee100fd027c592ea44f272231ad4dfa2ab/src/contracts/Insurance.sol#L61 that when we mint pool tokens, we use WAD values.

So in this way, each insurance pool token is always in 18 decimal places and uses WAD values. The quote token of the insurance pool however may not be, but that is not what is being referenced on L77.

That means when we withdraw, we want to require that the balance > amount check is done in WAD.

cemozerr commented 3 years ago

Closing this issue as it seems to be invalid due to @raymogg's explanation.