search

code-423n4 / 2022-01-insure-findings

2 stars 0 forks source link

Use of assert() instead of require() #329

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

defsec

Vulnerability details

Impact

Contracts use assert() instead of require() in the Vault.

Per to Solidity’s documentation:

"Assert should only be used to test for internal errors, and to check invariants. Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix. Language analysis tools can evaluate your contract to identify the conditions and function calls which will cause a Panic.”

Proof of Concept

  1. Navigate to the following contract.

https://github.com/code-423n4/2022-01-insure/blob/19d1a7819fe7ce795e6d4814e7ddf8b8e1323df3/contracts/Vault.sol#L168

        if (available() < _amount) {
            //when USDC in this contract isn't enough
            uint256 _shortage = _amount - available();
            _unutilize(_shortage);

            assert(available() >= _amount);
        }

Tools Used

None

Recommended Mitigation Steps

Change to require().

oishun1112 commented 2 years ago

https://github.com/code-423n4/2022-01-insure-findings/issues/234

0xean commented 2 years ago

Moving these to dupe of #21