Closed code423n4 closed 2 years ago
This isnt really an "issue" and definitely should not be rewarded.
This isnt really an "issue" and definitely should not be rewarded.
I agree - downgrading to QA as this is a systemic external risk. Should the underlying assets become insolvent (e.g. cTokens) the protocol would be at risk but this is very low odds and in some sense a feature of the system given Swivel sits on top of these protocols
Grouping this with the warden’s QA report #123
Duplicate of #123
Closing as invalid.
Lines of code
https://github.com/code-423n4/2022-07-swivel/blob/daf72892d8a8d6eaa43b9e7d1924ccb0e612ee3c/Swivel/Swivel.sol#L739-L759
Vulnerability details
Reliance on external protocols
Impact
If the protocols were exploited and become insolvent, the principal might be in danger, leading to lost of fund. Although the likelyhood is small, once it happened, the outcome might be disasterous.
Proof of Concept
The redemption of the underlying primarily depend on the nomal working conditions of the protocols deposit funds to.
Swivel/Swivel.sol
However, if the protocols were compromised and become insolvent, the security of the principal is in question. And these protocols have been through multiple attacks in the past. Since these external protocols, libraries and other dependences are upgraded once in a while, the possibility of introducing new vulnerbilities do exist. Also, existing bugs might be found and utilized.
Tools Used
Mannual analysis.
Recommended Mitigation Steps
Purchase some insurance for the underlying to protect against failure of external protocols not in control. For example Nexus Mutual, InsurAce.