The startClaim() function has the following comment:
/// @dev The protocol agent is still active for 7 days after coverage ends, so a claim can still be submitted.
/// @dev But in case the claim is approved after the 7 day period, `payoutClaim()` can not be called as the protocol agent is 0
While it is true that calling protocolManager.protocolAgent(_protocol) will return the null address 7 days after coverage ends, the payout can still be executed even if the protocol agent is null because a receiver is specified and used in payoutClaims().
Recommended Mitigation Steps
Remove / update the comment.
/// @dev Approved claims after the 7 day period can still be made, where the amount will be sent to the recevier
Evert0x
commented
2 years ago
Handle
GreyArt
Vulnerability details
Impact
The
startClaim()function has the following comment:While it is true that calling
protocolManager.protocolAgent(_protocol)will return the null address 7 days after coverage ends, the payout can still be executed even if the protocol agent is null because a receiver is specified and used inpayoutClaims().Recommended Mitigation Steps
Remove / update the comment.