anyone can get money from an incident without paying beforehand

[code423n4]

Handle

danb

Vulnerability details

https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L655

applyCover can be frontrun with insure call in order to get the incident money.

I suggest you add the same mechanism in withdraw, add requestInsure which must be called some time before insure.

[oishun1112]

applyCover takes parameter named "_incidentTimestamp". _incidentTimestamp is always sometime before, so doing front-run for applyCover has no meaning.

[0xean]

Agree with sponsor that this isn't feasible unless the owner called with an incidentTimestamp in the future

 require(
            marketStatus == MarketStatus.Payingout &&
                _insurance.startTime <= _incidentTimestamp &&
                _insurance.endTime >= _incidentTimestamp,
            "ERROR: INSURANCE_NOT_APPLICABLE"
        );

[0xean]

lowering to non critical as sponsor may choose to add a require statement to force incidentTimestamp < block.timestamp