unlock function is callable by anyone

[code423n4]

Handle

Fitraldys

Vulnerability details

Impact

In the https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L352 the unlock function is callable by anyone, and there is no check if the caller is the correct insured address or not, this can be dangerous because it relies on parameters.getGrace(msg.sender), which if the msg.sender didnt have any grace, it will referring to the grace that the address(0) had, and the grace of the address(0) can only be set manually by the owner of the parameters contract, and if the owner of the parameters contract didnt set the grace value of the address(0), and in the poolTemplate contract other user already called insure, to make the insurance this insurance can be unlock by anyone that is not the correct insured address for the correlated insurance id, therefore makes it unredeemable

Proof of Concept

https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L352

Recommended Mitigation Steps

add an access control for who is the correct address that can call the unlock function, either the correct insured address of the insurance or the admin

[oishun1112]

this is fine that anyone can all unlock() function. unlock() has effect on premium reduction by decreasing the utilization rate. This is true that specific address can have grace period of zero (== can unlock as soon as the insurance period ends), however, setGrace() can be called by only Owner so we assume this works with no problem

[0xean]

Closing as invalid, working as designed. Working as intended, a grace period of 0 is valid.