User can double insure their LP token to game insurance in the event of a default
Summary
When issuing insurance the protocol confirms that the user isn't buying more protection than the current principal of the token. There is nothing however stopping the user from buying multiple protections for full value of the token. In the event of a default the user would be able to claim both their protections.
When buying protection it confirms that the protection amount being bought is less than or equal to the amount of collateral remaining in the token. The issue is that is doesn't check if there is already some amount of coverage for that token. This allows a user to double insure a token and get double the payout if the pool defaults.
0x52
high
User can double insure their LP token to game insurance in the event of a default
Summary
When issuing insurance the protocol confirms that the user isn't buying more protection than the current principal of the token. There is nothing however stopping the user from buying multiple protections for full value of the token. In the event of a default the user would be able to claim both their protections.
Vulnerability Detail
https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ReferenceLendingPools.sol#L152-L167
When buying protection it confirms that the protection amount being bought is less than or equal to the amount of collateral remaining in the token. The issue is that is doesn't check if there is already some amount of coverage for that token. This allows a user to double insure a token and get double the payout if the pool defaults.
Impact
User can get double payout from default
Code Snippet
https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L795-L905
Tool used
Manual Review
Recommendation
Track the amount of protection a token has and make sure that this total value never exceeds the value of the underlying token.
Duplicate of #112