Platform: Code4rena
Start Date: 07/01/2022
Pot Size: $80,000 USDC
Total HM: 21
Participants: 37
Period: 7 days
Judge: 0xean
Total Solo HM: 14
Id: 71
League: ETH
Rank: 16/37
Findings: 2
Award: $981.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
1025.8688 INSURE - $359.05
622.8489 USDC - $622.85
ye0lde
Expired insurance status set incorrectly after unlock of funds
The insurance status is not set to false and the unlock function can be called over and over driving the lockedAmount to 0. The distorted lockedAmount will then cause liquidity and utilization rates to be distorted. At the least, it could be used in a 'griefing' attack and could cause the protocol to become overextended or unstable.
The unlock routine is here:
https://github.com/code-423n4/2022-01-insure/blob/19d1a7819fe7ce795e6d4814e7ddf8b8e1323df3/contracts/PoolTemplate.sol#L348-L365
/** * @notice Unlock funds locked in the expired insurance * @param _id id of the insurance policy to unlock liquidity */ function unlock(uint256 _id) public { require( insurances[_id].status == true && marketStatus == MarketStatus.Trading && insurances[_id].endTime + parameters.getGrace(msg.sender) < block.timestamp, "ERROR: UNLOCK_BAD_COINDITIONS" ); insurances[_id].status == false; lockedAmount = lockedAmount - insurances[_id].amount; emit Unlocked(_id, insurances[_id].amount); }
Note that the insurances's _id is just a number between 0 and allInsuranceCount. And parameters.getGrace(msg.sender) returns 0 for an unknown address.
Visual Studio Code, Remix
Line 360:
insurances[_id].status == false;
should be:
insurances[_id].status = false;
#0 - oishun1112
2022-01-19T09:38:37Z