Contracts use assert() instead of require() in the Vault.
Per to Solidity’s documentation:
"Assert should only be used to test for internal errors, and to check invariants. Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix. Language analysis tools can evaluate your contract to identify the conditions and function calls which will cause a Panic.”
Handle
defsec
Vulnerability details
Impact
Contracts use assert() instead of require() in the Vault.
Per to Solidity’s documentation:
Proof of Concept
https://github.com/code-423n4/2022-01-insure/blob/19d1a7819fe7ce795e6d4814e7ddf8b8e1323df3/contracts/Vault.sol#L168
Tools Used
None
Recommended Mitigation Steps
Change to require().