Reserve ratio is not checked in sendPortfolio in Unitas.sol
Summary
Underlying assets can be sent out of protocol to be used for gaining some interest in protocols like Aave, Compound, etc. There is no reserve ration check thus the assets can become undercollateralized if too much is send to portfolio.
Vulnerability Detail
Both Unitas.sol:264 and InsurancePool.sol:136 have the functionality of sending funds to address the portfolio access role. It sends a given token from the protocol to be used, for example, to stake on Aave or Compound to gain interest.
The one in Unitas.sol poses a threat to minted funds becoming undercollateralized. An arbitrary number of tokens can be passed as an argument for the sendPortfolio function. However, there is no reserve ratio check. In this way, the underlying stable coin value can fall under the liabilities value and cause users to not be able to withdraw their funds.
Option 1 - Remove portfolio from Unitas.sol.
This option is preferred for making the backing asset safer.
Option 2 - Add reserve ratio check as it is in swapping at Unitas.sol:605. In my opinion, this is not ideal because there could be assets missing in InsurancePool due to being sent to the portfolio as well, but it is better than leaving it as it is.
0xJuda
high
Reserve ratio is not checked in sendPortfolio in Unitas.sol
Summary
Underlying assets can be sent out of protocol to be used for gaining some interest in protocols like Aave, Compound, etc. There is no reserve ration check thus the assets can become undercollateralized if too much is send to portfolio.
Vulnerability Detail
Both Unitas.sol:264 and InsurancePool.sol:136 have the functionality of sending funds to address the portfolio access role. It sends a given token from the protocol to be used, for example, to stake on Aave or Compound to gain interest.
The one in Unitas.sol poses a threat to minted funds becoming undercollateralized. An arbitrary number of tokens can be passed as an argument for the sendPortfolio function. However, there is no reserve ratio check. In this way, the underlying stable coin value can fall under the liabilities value and cause users to not be able to withdraw their funds.
Impact
Underlying assets can become undercollateralized.
Code Snippet
Unitas.sol:264
Tool used
Manual Review
Recommendation
Option 1 - Remove portfolio from Unitas.sol. This option is preferred for making the backing asset safer.
Option 2 - Add reserve ratio check as it is in swapping at Unitas.sol:605. In my opinion, this is not ideal because there could be assets missing in InsurancePool due to being sent to the portfolio as well, but it is better than leaving it as it is.