search

sherlock-audit / 2023-02-carapace-judging

2 stars 0 forks source link

monrel - Unlocked capital should not be claimable to sellers that have not requested a withdrawal #321

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

monrel

medium

Unlocked capital should not be claimable to sellers that have not requested a withdrawal

Summary

All sellers are forced to withdraw capital that have been unlocked. Even seller that had not requested a withdrawal end up being able to withdraw capital whenever a lenderpool is unlocked.

Vulnerability Detail

Seller's capital is locked when payments are missed. The capital is then unlocked after 2 payment terms if the payment is made during that time.

All unlocked capital is then distributed to sellers even if the had not requested a withdrawal. Withdrawals are supposed to only happen at the earliest at the end of the cycle after a request for a withdrawal has been made but this assumption is broken here.

Impact

An important factor for protection buyers is he amount of capital exist in relation the protected amount. The premium amount they are ready to pay is dependent on the insolvency risk of ProtectionPool. Deposits are supposed to stay in the Protection pool at least until the end of the next cycle. From the documentation:

"Let’s use an example where the cycle duration is 90 days. Imagine that Buyer A buys protection at day 100 (cycle 2) for 170 days. She can see how much capital will stay during her protection duration (the remaining days in cycle 2 and all the days in cycle 3) from two pieces of information. First, all the capital deposited in cycle 2 will stay in cycle 3. Second, the amount of withdrawal requests made before cycle 1 (only in cycle 1 in this case)."

The assumption that capital that is deposited in cycle 2 will stay until the end of cycle 3 is not correct due to the outlined vulnerability.

Code Snippet

The claiming functionality does not take into account withdrawlRequests https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L427-L445

Tool used

Manual Review

Recommendation

The unlocked capital should only be withdrawable if the capital was locked during an open period that the seller had a withdrawalRequests >= claimableAmount

vnadoda commented 1 year ago

@clems4ev3r This is not a valid concern. Per protocol design, locked capital is kept aside for default payout, in case of lending pool's default, and hence locked capital is not earning/accruing premium. This means when lending pool is active again(current on payment), investors/sellers should be able to claim this capital.

Though we are thinking about a more capital-efficient way to handle this in an upcoming version.

clems4ev3r commented 1 year ago

@vnadoda agreed, this is a non-issue, withdrawal and claiming are a different process

hrishibhat commented 1 year ago

Closing based on the above comments