libratus - Buyer can get protection cheaply using renewal grace period and low minimal renewal duration

[github-actions[bot]]

libratus

high

Buyer can get protection cheaply using renewal grace period and low minimal renewal duration

Summary

Buyer can keep renewing protection at the end of grace period using minimal renewal duration. While on grace period, buyer can front-run defaults effectively getting protection while not paying for it.

Vulnerability Detail

Grace period for renewing protection is planned to be around 14 days as mentioned in tests: https://github.com/sherlock-audit/2023-02-carapace/blob/main/test/contracts/ProtectionPool.test.ts#L392-L396

Minimal protection renewal is 1 day: https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/libraries/ProtectionPoolHelper.sol#L52-L60

This setup allows the buyer to keep renewing protection while paying premium for 1 day out of 15. While on grace period, they can look for signs of default or event front-run DefaultStateManager before default in order to get compensated when default happens.

Alternatively, buyer can choose to get protection for days when payments are expected from the borrower and avoid paying premium for the days in between.

Impact

Buyer can get protection much cheaper than intended. They only have to pay full premium for the first 90 days, while Goldfinch loans last years.

Code Snippet

https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L176-L195

Tool used

Manual Review

Recommendation

Minimal renewal has to be increased probably. Grace period can also be decreased and premium can be collected during the grace period.

Duplicate of #308

[vnadoda]

@clems4ev3r this is a duplicate of #312

[vnadoda]

@hrishibhat need to close this

[clems4ev3r]

@vnadoda, respectfully disagree, this is a duplicate of #308 and #190.

312 is confusing since the title mentions grace period duration when it really is about changing the amount of the protection during the renewal

[vnadoda]

@clems4ev3r I mentioned #312 because the reporter mentioned "Minimal renewal has to be increased probably" as a remedy. anyway, we need to close this as we plan to fix both, #312 and #190.