search

sherlock-audit / 2023-02-carapace-judging

2 stars 0 forks source link

libratus - Sellers can deposit protection right after borrower payment and before accrual gaining an advantage #199

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

libratus

false

Sellers can deposit protection right after borrower payment and before accrual gaining an advantage

Summary

If seller deposits capital right after borrower makes a payment but before accrual is done, he earns this portion of premium without any risk.

Vulnerability Detail

Carapace integrates with on-chain protocols like Goldfinch, which means borrower payments are visible on-chain. Seller can deposit protection right after borrower makes a payment but before accruePremiumAndExpireProtections is called on ProtectionPool.

Seller will earn premium associated with made payment risk-free.

Impact

Seller can earn small portion of premium risk-free. Ranking as Low as it is unlikely to have a big impact

Code Snippet

Tool used

Manual Review

Recommendation

If possible within reasonable gas limit, we can call accruePremiumAndExpireProtections at the beginning of deposit function like the following:

  function deposit(uint256 _underlyingAmount, address _receiver)
    external
    override
    whenNotPaused
    nonReentrant
  {
    accruePremiumAndExpireProtections(new address[](0));
    _deposit(_underlyingAmount, _receiver);
  }

Duplicate of #26

kiseln commented 1 year ago

Escalate for 20 USDC

This is a duplicate of #26 and #294 with the underlying issue being the ability to front-run accruePremiumAndExpireProtections. The difference is that 26 also includes instant profit withdrawal. However, that part is more about gaming withdrawals which is captured by #292 and #116.

Probably misjudged it as everyone else ranked it high. Please, note that recommendation is valid for issue 26

sherlock-admin commented 1 year ago

Escalate for 20 USDC

This is a duplicate of #26 and #294 with the underlying issue being the ability to front-run accruePremiumAndExpireProtections. The difference is that 26 also includes instant profit withdrawal. However, that part is more about gaming withdrawals which is captured by #292 and #116.

Probably misjudged it as everyone else ranked it high. Please, note that recommendation is valid for issue 26

You've created a valid escalation for 20 USDC!

To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Evert0x commented 1 year ago

Escalation accepted

sherlock-admin commented 1 year ago

Escalation accepted

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.