search

code-423n4 / 2022-01-insure-findings

2 stars 0 forks source link

Expired insurance status set incorrectly after unlock of funds #359

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

ye0lde

Vulnerability details

Impact

Expired insurance status set incorrectly after unlock of funds

The insurance status is not set to false and the unlock function can be called over and over driving the lockedAmount to 0. The distorted lockedAmount will then cause liquidity and utilization rates to be distorted. At the least, it could be used in a 'griefing' attack and could cause the protocol to become overextended or unstable.

Proof of Concept

The unlock routine is here: https://github.com/code-423n4/2022-01-insure/blob/19d1a7819fe7ce795e6d4814e7ddf8b8e1323df3/contracts/PoolTemplate.sol#L348-L365

    /**
     * @notice Unlock funds locked in the expired insurance
     * @param _id id of the insurance policy to unlock liquidity
     */
    function unlock(uint256 _id) public {
        require(
            insurances[_id].status == true &&
                marketStatus == MarketStatus.Trading &&
                insurances[_id].endTime + parameters.getGrace(msg.sender) <
                block.timestamp,
            "ERROR: UNLOCK_BAD_COINDITIONS"
        );
        insurances[_id].status == false;

        lockedAmount = lockedAmount - insurances[_id].amount;

        emit Unlocked(_id, insurances[_id].amount);
    }

Note that the insurances's _id is just a number between 0 and allInsuranceCount. And parameters.getGrace(msg.sender) returns 0 for an unknown address.

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Line 360:

insurances[_id].status == false;

should be:

insurances[_id].status = false;
oishun1112 commented 2 years ago

https://github.com/code-423n4/2022-01-insure-findings/issues/192