Get protection while not paying fees by using many 0 deposits
Summary
Buyers can game the system and get (almost) free protection with many 0-amount-deposits.
Vulnerability Detail
The protocol allows a protection buyer to have many deposits, which also can have a protection amount of 0. This has been tested in this snippet. When the protection amount is 0, no premium has to be paid:
The way this can be abused is to perform many 0 deposits that expire in an interval equal to the grace period, so that the buyer always has one expired protection that he can renew just in time when he sees a default impending and only then paying the protection amount once and for the shortest duration possible.
To give an example in numbers, assume the cycle duration is 90 days, and the grace period is 10 days. A malicious buyer would then create 9 protections with amount 0 which all expire 10 days from each other. This way, after the first protection expires he, will always have one expired protection which is still in grace period and can be used to renew just in time for an impending default. If no default is expected, the buyer will just renew that protection with another 0 amount deposit, to keep the cycle alive.
Impact
Gaming the protocol, avoiding uncertainty and getting protection but paying only in case of certain default.
minhtrng
high
Get protection while not paying fees by using many 0 deposits
Summary
Buyers can game the system and get (almost) free protection with many 0-amount-deposits.
Vulnerability Detail
The protocol allows a protection buyer to have many deposits, which also can have a protection amount of 0. This has been tested in this snippet. When the protection amount is 0, no premium has to be paid:
The way this can be abused is to perform many 0 deposits that expire in an interval equal to the grace period, so that the buyer always has one expired protection that he can renew just in time when he sees a default impending and only then paying the protection amount once and for the shortest duration possible.
To give an example in numbers, assume the cycle duration is 90 days, and the grace period is 10 days. A malicious buyer would then create 9 protections with amount 0 which all expire 10 days from each other. This way, after the first protection expires he, will always have one expired protection which is still in grace period and can be used to renew just in time for an impending default. If no default is expected, the buyer will just renew that protection with another 0 amount deposit, to keep the cycle alive.
Impact
Gaming the protocol, avoiding uncertainty and getting protection but paying only in case of certain default.
Code Snippet
https://github.com/sherlock-audit/2023-02-carapace/blob/cbfed1985d3cf893239d852eecefe7610b7434dc/contracts/libraries/ProtectionPoolHelper.sol#L36-L80 (this function should have necessary checks to avoid the exploit)
Tool used
Manual Review
Recommendation
Have a minimum deposit amount or restrict the amounts of deposits for an nftLpTokenId.
Duplicate of #112