search

sherlock-audit / 2023-02-carapace-judging

2 stars 0 forks source link

__141345__ - LP token should be transferred to the seller if defaulted #279

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

141345

high

LP token should be transferred to the seller if defaulted

Summary

The LP token is not transferred to the seller in case of defaulted loan. The contract codebase does not implement the documentations functionality. This issue could be abused by malicious users to drain the pool fund. Sellers could lose all the fund.

Vulnerability Detail

According to the doc

A seller does not need to deposit the LP token in a Carapace pool at the time of purchase - this is only a requirement if a buyer makes a claim for default payout.

The indication is the buyer should transfer the LP token to the seller when making a claim for the payout.

However, in the implementation, the LP is not transferred.

File: contracts/core/DefaultStateManager.sol
289:   function _assessState(ProtectionPoolState storage poolState) internal {

357:           else if (_currentStatus == LendingPoolStatus.Late) {
358:             /// Update the current status of the lending pool to Active
359:             lendingPoolStateDetail.currentStatus = LendingPoolStatus.Defaulted;
360: 
361:             // Default state transition will be implemented in the next version of the protocol
362:             // _moveFromLockedToDefaultedState(poolState, _lendingPool);
363:           }

Since the LP token transfer is not required when buying protection, the above issue could be abused. A malicious buyer can use multiple wallet address to buy multiple protections. And claim the payouts repeatedly. Imagine, Alice holds some LP token with amount of $1,000 USDC, and she can buy protection with wallet 1, then transfer the LP token to wallet 2 and buy protection again. This process can be done for many times to buy much more than the real LP token amount. Later when the loan defaulted, Alice could claim for the payouts multiple times without transferring the LP token. Even worse, malicious user can lend to self with different wallets in the lending pool, and artificially making the loan defaulted, in order the trick the protection payout system.

Impact

Protection sellers could lose fund to malicious users. The pool fund could be drained.

Code Snippet

https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/DefaultStateManager.sol#L357-L363

Tool used

Manual Review

Recommendation

When the status is defaulted, transfer the LP token to the seller.

Duplicate of #112

clems4ev3r commented 1 year ago

Looks like a duplicate of #112

vnadoda commented 1 year ago

@clems4ev3r default payout functionality is not implemented and planned for the upcoming version as specified in a comment and protocol overview doc. There is no way for buyers to get default payouts and abuse the system. Cc @taisukemino

clems4ev3r commented 1 year ago

@vnadoda agreed