search

sherlock-audit / 2024-03-zivoe-judging

8 stars 6 forks source link

`applyCombine` incorrectly sets the `valid` flag of `combinations` at `combineCounter` #714

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 6 months ago

applyCombine incorrectly sets the valid flag of combinations at combineCounter

Low/Info issue submitted by saidam017

Summary

applyCombine wrongly sets the valid flag of combinations due to incorrectly clearing the valid flag of combineCounter instead of the provided id.

Vulnerability Detail

When applyCombine is called, it set combinations[combineCounter].valid to false instead of `combinations[id].valid.

https://github.com/sherlock-audit/2024-03-zivoe/blob/main/zivoe-core-foundry/src/lockers/OCC/OCC_Modular.sol#L749

    function applyCombine(uint256 id) external {
        require(combinations[id].valid, "OCC_Modular::applyCombine() !combinations[id].valid");
        require(
            block.timestamp < combinations[id].expires, 
            "OCC_Modular::applyCombine() block.timestamp >= combinations[id].expires"
        );

>>>     combinations[combineCounter].valid = false;

        // ....
    }

Impact

Low, as the id still can't be combined twice because the loan's state is no longer LoanState.Active, and it will not impact combinations at combineCounter because it does not yet exist.

Code Snippet

https://github.com/sherlock-audit/2024-03-zivoe/blob/main/zivoe-core-foundry/src/lockers/OCC/OCC_Modular.sol#L749

Tool used

Manual Review

Recommendation

set combinations[id].valid to false instead.

pseudonaut commented 6 months ago

Valid