InsureDAO contest - loop's results

Anyone can create an insurance pool like Uniswap.

General Information

Platform: Code4rena

Start Date: 07/01/2022

Pot Size: $80,000 USDC

Total HM: 21

Participants: 37

Period: 7 days

Judge: 0xean

Total Solo HM: 14

Id: 71

League: ETH

InsureDAO

Findings Distribution

Researcher Performance

Rank: 15/37

Findings: 4

Award: $987.75

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository InsureDAO

Findings Information

🌟 Selected for report: loop

Also found by: p4st13r4, ye0lde

Labels

bug

3 (High Risk)

resolved

sponsor confirmed

Awards

1025.8688 INSURE - $359.05

622.8489 USDC - $622.85

External Links

Link to GitHub issue

Handle

loop

Vulnerability details

The function unlock() in PoolTemplate has a typo where it compares insurances[_id].status to false rather than setting it to false. If the conditions are met to unlock the funds for an id, the user should be able to call the unlock() function once for that id as insurances[_id].amount is subtracted from lockedAmount. However, since insurances[_id].status does not get set to false, a user can call unlock() multiple times for the same id, resulting in lockedAmount being way smaller than it should be since insurances[_id].amount is subtracted multiple times.

Impact

lockedAmount is used to calculate the amount of underlying tokens available for withdrawals. If lockedAmount is lower than it should be users are able to withdraw more underlying tokens than available for withdrawals.

Proof of Concept

Typo in unlock():

https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L360-L362

Calculation of underlying tokens available for withdrawal:

https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L836

Recommended Mitigation Steps

Change insurances[_id].status == false; to insurances[_id].status = false;

#0 - oishun1112
2022-01-27T06:53:24Z

https://github.com/InsureDAO/pool-contracts/blob/audit/code4rena/contracts/PoolTemplate.sol#L375

#1 - 0xean
2022-01-27T21:32:25Z

upgrading to sev-3 based on assets being compromised.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, Jujic, TomFrenchBlockchain, csanuragjain, defsec, gzeon, loop, robee

Labels

bug

duplicate

G (Gas Optimization)

Awards

2.9784 INSURE - $1.04

1.5637 USDC - $1.56

External Links

Link to GitHub issue

Handle

loop

Vulnerability details

The variables token, registry and ownership in Vault are only set in the constructor and can thus be immutable.

Impact

Immutable variables have lower gas cost during deployment and use of the variable.

Proof of Concept

#0 - oishun1112
2022-01-13T14:27:26Z

https://github.com/code-423n4/2022-01-insure-findings/issues/72

InsureDAO contest - loop's results

Anyone can create an insurance pool like Uniswap.

General Information

Findings Distribution

Researcher Performance

External Links

🌟 [H-02] Typo in PoolTemplate unlock function results in user being able to unlock multiple times - $981.90

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - oishun11122022-01-27T06:53:24Z

#1 - 0xean2022-01-27T21:32:25Z

Gas Report - $5.85

Gas Report - $5.85

[G-88] Vault variables are only set in controller and can be immutable - $2.60

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

#0 - oishun11122022-01-13T14:27:26Z

🌟 [G-25] Multiple boolean comparrisons - $3.25

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Recommended Mitigation Steps

#0 - oishun11122022-01-27T06:52:24Z

#0 - oishun1112
2022-01-27T06:53:24Z

#1 - 0xean
2022-01-27T21:32:25Z

#0 - oishun1112
2022-01-13T14:27:26Z

#0 - oishun1112
2022-01-27T06:52:24Z