search

sherlock-audit / 2023-02-carapace-judging

2 stars 0 forks source link

ck - Handling of pool cycle state by daily cron is flawed #228

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ck

high

Handling of pool cycle state by daily cron is flawed

Summary

Handling of pool cycle state by daily cron is flawed

Vulnerability Detail

Having ProtectionPoolCycleManager.calculateAndSetPoolCycleState be run by a cron daily fails to account for protocol requirements.

calculateAndSetPoolCycleState just relies on timestamps to change cycle state irrespective of other factors such as defaults and late payments.

Impact

This can break protocol operation and lead to various bugs as cycle state will change without checking if it is safe to do so.

Code Snippet

https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/ProtectionPoolCycleManager.sol#L94-L143

Tool used

Manual Review

Recommendation

Have the cycle times be changed at contract level based on various checks.

vnadoda commented 1 year ago

@clems4ev3r Purpose of the pool cycle is purely timekeeping and to represent status based on time elapsed. How this will break protocol operation(s)? this doesn't seem valid concern/issue.

clems4ev3r commented 1 year ago

@vnadoda agreed this is invalid, since pool cycles are supposed to be based on time only