In the _swapOut function when tokenType of the token equals asset, the if statement is triggered which can pull the collateral of tokens from the insurance pool.
However duo to the wrong if statement applied amount > reserveAmount in the function, in some cases it will lead to revert as it is trying to pull more collateral than the actual amount the insurance pool has.
In the below scenario, the function will try to pull more collateral from the insurance pool than it actually has.
if (tokenType == ITokenManager.TokenType.Asset) {
uint256 tokenReserve = 40e18;
// The function will take the smallest amount out of the two variables.
uint256 reserveAmount = 30e18.min(40e18 - 30e18);
if (amount > reserveAmount) {
uint256 collateralAmount = 30e18 - 10e18;
// tokenReserve - _getPortfolio(token) -> 40e18 - 30e18 = 10e18
// Based on the calculation above, the insurance pool doesn't have enough collateral to cover the withdraw of 20e18.
IInsurancePool(insurancePool).withdrawCollateral(token, 20e18);
}
Impact
Duo to the wrong if statement applied in the _swapOut function, in some cases the function will try to pull more collateral than the insurance pool actually has, leading to revert.
Yuki
medium
Wrong logic applied in the _swapOut function.
Summary
Wrong logic applied in the _swapOut function.
Vulnerability Detail
In the _swapOut function when tokenType of the token equals asset, the if statement is triggered which can pull the collateral of tokens from the insurance pool.
However duo to the wrong if statement applied
amount > reserveAmount
in the function, in some cases it will lead to revert as it is trying to pull more collateral than the actual amount the insurance pool has.https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L379-L400
Lets take for example the given details:
In the below scenario, the function will try to pull more collateral from the insurance pool than it actually has.
Impact
Duo to the wrong if statement applied in the _swapOut function, in some cases the function will try to pull more collateral than the insurance pool actually has, leading to revert.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L379-L400
Tool used
Manual Review
Recommendation
The function _swapOut should withdraw from the insurance pool only if it has the needed amount of collateral.