search

sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

capy_ - Reserve ratio not considered when sending amounts to portfolio #129

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

capy_

medium

Reserve ratio not considered when sending amounts to portfolio

Summary

Reserve ratio not considered when sending amounts to portfolio in PoolBalances.sol

Vulnerability Detail

Per function _sendPortfolio in PoolBalances.sol:

    function _sendPortfolio(address token, address receiver, uint256 amount) internal virtual {
        AddressUtils.checkNotZero(token);
        AddressUtils.checkNotZero(receiver);
        _checkAmountPositive(amount);
        _require(receiver != address(this), Errors.RECEIVER_INVALID);

        uint256 portfolio = _getPortfolio(token);
        amount = amount.min(_getBalance(token) - portfolio);

        _require(amount > 0, Errors.POOL_BALANCE_INSUFFICIENT);

        _setPortfolio(token, portfolio + amount);

        IERC20(token).safeTransfer(receiver, amount);

        emit PortfolioSent(token, receiver, amount);
    }

Per clarification from sponsor in discord chat:

"_portfolio represents the current amount of assets used for strategic investments"

"If there is enough USDT available in reserve pool, the unitas foundation may utilize some of insurance pool USDT to generate additional yield. This is a temporary operation only to increase our revenue. "

On the understanding that _getBalance is the balance of the token in the pool, it means that the formula for the check did not take into consideration reducing the reserve ratio's worth of tokens before allowing the amount to be sent to the portfolio.

Impact

Excessive amounts of tokens from the pool could be sent (by accident or maliciously - in the case where admin gets compromised) for investment, causing the reserve ratio to fall before 130% or even 100%. This could cause the main functionalities of the protocol to stop working as mentioned in the "Risk Management" portion of the white paper .

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/PoolBalances.sol#L83-L99

Tool used

Manual Review

Recommendation

Include a check to ensure that the reserve ratio requirements are met before sending amounts to portfolio.