Missing check on account in PerpDepository.rebalance()
Summary
in PerpDepository.rebalance() the input parameter account can be set by the caller without restriction.
Any user account with residual approval to this contract can be forced to pay the shortfall.
An attacker can simulate transactions to see when the shortfall should be negative and put its address to gain the shortfall
Vulnerability Detail
account is fed to _rebalanceNegativePnlWithSwap() where it is used to:
pull quoteToken from to pay the shortfall from it if shortFall is positive
transfer quoteToken to send the excess if shortFall is negative
When Alice calls rebalanceLite(), she must approve first the PerpDepository with quoteToken. If after rebalanceLite() is called there is some residual approval, then rebalance() can be called by Anyone passing Alice's address as account to make Alice pay for the shortfall.
Also, an attacker could simulate calls to rebalance() to know when the Shorfall is negative and call rebalance() whith its address as account to get the excess tokens after rebalancing.
Impact
Users with residual approval can be forced to pay for the cost of rebalancing, also the benefits of potentially having a negative shortfall (excess tokens after rebalancing) can be nullified by a malicious attacker who can steal the excess tokens.
Bahurum
medium
Missing check on
account
inPerpDepository.rebalance()
Summary
in
PerpDepository.rebalance()
the input parameteraccount
can be set by the caller without restriction.Vulnerability Detail
account
is fed to_rebalanceNegativePnlWithSwap()
where it is used to:quoteToken
from to pay the shortfall from it ifshortFall
is positivequoteToken
to send the excess ifshortFall
is negativeWhen Alice calls
rebalanceLite()
, she must approve first thePerpDepository
withquoteToken
. If afterrebalanceLite()
is called there is some residual approval, thenrebalance()
can be called by Anyone passing Alice's address asaccount
to make Alice pay for the shortfall.Also, an attacker could simulate calls to
rebalance()
to know when theShorfall
is negative and callrebalance()
whith its address asaccount
to get the excess tokens after rebalancing.Impact
Users with residual approval can be forced to pay for the cost of rebalancing, also the benefits of potentially having a negative shortfall (excess tokens after rebalancing) can be nullified by a malicious attacker who can steal the excess tokens.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L446-L453
Tool used
Manual Review
Recommendation
Rebalance should be some fixed protocol owned address that allows for paying the shortfall.
Duplicate of #288