Closed code423n4 closed 3 years ago
You'll see on https://github.com/code-423n4/2021-06-tracer/blob/74e720ee100fd027c592ea44f272231ad4dfa2ab/src/contracts/Insurance.sol#L61 that when we mint pool tokens, we use WAD values.
So in this way, each insurance pool token is always in 18 decimal places and uses WAD values. The quote token of the insurance pool however may not be, but that is not what is being referenced on L77.
That means when we withdraw, we want to require that the balance > amount check is done in WAD.
Closing this issue as it seems to be invalid due to @raymogg's explanation.
Handle
0xsanson
Vulnerability details
Impact
In the Insurance.withdraw(amount) function we are requiring balance >= amount. The problem is that amount is a WAD number, whereas balance is a raw token amount. This works as long as the token decimals are 18, but a future token implementation can cause problems.
Proof of Concept
https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/Insurance.sol#L77
Tools Used
Manual analysis.
Recommended Mitigation Steps
Make an appropriate conversion before comparing.