code423n4 commented 1 year ago

MITIGATION IS NOT CONFIRMED

Mitigation of M-10: Issue not mitigated

Link to Issue: https://github.com/code-423n4/2023-03-asymmetry-findings/issues/363

Comments

Even though the protocol team applied the warden's recommendation in M-10, the feature to enable/disable derivatives added as a mitigation for H-03/M-02/M-05 potentially reintroduces the issue.

Technical details

The following pull request https://github.com/asymmetryfinance/smart-contracts/pull/264/files adds a feature to enable or disable derivatives. As a result of this change, it is now possible to have at least one derivative, such that derivativeCount > 0, but have that derivative disabled.

Given this scenario, the added check in https://github.com/asymmetryfinance/smart-contracts/pull/208/files#diff-badfabc2bc0d1b9ef5dbef737cd03dc2f570f6fd2074aea9514da9db2fff6e4eR67 will succeed, while the deposit in the for-loop will be skipped as the derivative is disabled here https://github.com/asymmetryfinance/smart-contracts/pull/264/files#diff-badfabc2bc0d1b9ef5dbef737cd03dc2f570f6fd2074aea9514da9db2fff6e4eR86

This effectively reintroduces the conditions for the original issue described in M-10.

Recommendation

The check should only consider enabled derivatives. Alternatively the check could be done using the totalWeight variable, as this variable considers only enabled derivatives, and will be zero if all derivatives are disabled.