Expired insurance status set incorrectly after unlock of funds
The insurance status is not set to false and the unlock function can be called over and over driving the lockedAmount to 0. The distorted lockedAmount will then cause liquidity and utilization rates to be distorted. At the least, it could be used in a 'griefing' attack and could cause the protocol to become overextended or unstable.
Handle
ye0lde
Vulnerability details
Impact
Expired insurance status set incorrectly after unlock of funds
The insurance
status
is not set to false and theunlock
function can be called over and over driving thelockedAmount
to 0. The distortedlockedAmount
will then cause liquidity and utilization rates to be distorted. At the least, it could be used in a 'griefing' attack and could cause the protocol to become overextended or unstable.Proof of Concept
The
unlock
routine is here: https://github.com/code-423n4/2022-01-insure/blob/19d1a7819fe7ce795e6d4814e7ddf8b8e1323df3/contracts/PoolTemplate.sol#L348-L365Note that the
insurances
's_id
is just a number between 0 andallInsuranceCount
. Andparameters.getGrace(msg.sender)
returns 0 for an unknown address.Tools Used
Visual Studio Code, Remix
Recommended Mitigation Steps
Line 360:
should be: