Platform: Code4rena
Start Date: 07/01/2022
Pot Size: $80,000 USDC
Total HM: 21
Participants: 37
Period: 7 days
Judge: 0xean
Total Solo HM: 14
Id: 71
League: ETH
Rank: 21/37
Findings: 1
Award: $527.31
π Selected for report: 2
π Solo Findings: 0
170.9781 INSURE - $59.84
103.8081 USDC - $103.81
cccz
The fund function of the CDSTemplate contract does not match the description, the caller will not receive any iToken after sending tokens, and the owner can take away the tokens in surplusPool.
/** * @notice A liquidity provider supplies collatral to the pool and receives iTokens * @param _amount amount of token to deposit */ function fund(uint256 _amount) external { require(paused == false, "ERROR: PAUSED"); //deposit and pay fees uint256 _attribution = vault.addValue( _amount, msg.sender, address(this) ); surplusPool += _attribution; emit Fund(msg.sender, _amount, _attribution); } function defund(uint256 _amount) external override onlyOwner { require(paused == false, "ERROR: PAUSED"); uint256 _attribution = vault.withdrawValue(_amount, msg.sender); surplusPool -= _attribution; emit Defund(msg.sender, _amount, _attribution); }
https://github.com/code-423n4/2022-01-insure/blob/main/contracts/CDSTemplate.sol#L156-L182
Manual analysis
Change the description of the fund function or send iToken to the caller
#0 - oishun1112
2022-01-18T05:02:22Z
Wardens should assume that governance variables are set sensibly. https://code4rena.com/contests/2022-01-insuredao-contest
we assume owner doesn't behave to lose credit of InsureDAO. so, we don't take "owner can take away the tokens in surplusPool." as a problem. This is to salvage the fund in case we have to migrate to a new CDS.
fund() doesn't mint any LP tokens back, so the risk should be 0 since this is commenting issue.
#1 - 0xean
2022-01-27T22:01:19Z
1 β Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
Downgrading to sev 1
#2 - oishun1112
2022-02-02T05:17:42Z
dup
π Selected for report: cccz
379.9514 INSURE - $132.98
230.6848 USDC - $230.68
cccz
When setting parameters in the Parameters contract, the input parameters are not verified.
For example, in the setFeeRate function, the _target parameter is not limited. When _target is greater than 1e6, DOS will occur when used in the insure function of the PoolTemplate contract
function setFeeRate(address _address, uint256 _target) external override onlyOwner { _fee[_address] = _target; emit FeeRateSet(_address, _target); } ... function insure( uint256 _amount, uint256 _maxCost, uint256 _span, bytes32 _target ) external returns (uint256) { //Distribute premium and fee uint256 _endTime = _span + block.timestamp; uint256 _premium = getPremium(_amount, _span); uint256 _fee = parameters.getFeeRate(msg.sender); require( _amount <= availableBalance(), "ERROR: INSURE_EXCEEDED_AVAILABLE_BALANCE" ); require(_premium <= _maxCost, "ERROR: INSURE_EXCEEDED_MAX_COST"); require(_span <= 365 days, "ERROR: INSURE_EXCEEDED_MAX_SPAN"); require( parameters.getMinDate(msg.sender) <= _span, "ERROR: INSURE_SPAN_BELOW_MIN" ); require( marketStatus == MarketStatus.Trading, "ERROR: INSURE_MARKET_PENDING" ); require(paused == false, "ERROR: INSURE_MARKET_PAUSED"); //current liquidity uint256 _liquidity = totalLiquidity(); uint256 _totalCredit = totalCredit; //accrue premium/fee uint256[2] memory _newAttribution = vault.addValueBatch( _premium, msg.sender, [address(this), parameters.getOwner()], [MAGIC_SCALE_1E6-_fee, _fee] );
https://github.com/code-423n4/2022-01-insure/blob/main/contracts/Parameters.sol
Manual analysis
When setting parameters in the Parameters contract, verify the input parameters
#0 - takadr
2022-01-27T03:02:21Z
@oishun1112 Already fixed. https://github.com/InsureDAO/pool-contracts/blob/audit/code4rena/contracts/Parameters.sol#L186