Missing check on account in PerpDepository.rebalance()
Summary
in PerpDepository.rebalance() the input parameter account can be set by the caller without restriction.
Any user account with residual approval to this contract can be forced to pay the shortfall.
An attacker can simulate transactions to see when the shortfall should be negative and put its address to gain the shortfall
Vulnerability Detail
account is fed to _rebalanceNegativePnlWithSwap() where it is used to:
pull quoteToken from to pay the shortfall from it if shortFall is positive
transfer quoteToken to send the excess if shortFall is negative
When Alice calls rebalanceLite(), she must approve first the PerpDepository with quoteToken. If after rebalanceLite() is called there is some residual approval, then rebalance() can be called by Anyone passing Alice's address as account to make Alice pay for the shortfall.
Also, an attacker could simulate calls to rebalance() to know when the Shorfall is negative and call rebalance() whith its address as account to get the excess tokens after rebalancing.
Impact
Users with residual approval can be forced to pay for the cost of rebalancing, also the benefits of potentially having a negative shortfall (excess tokens after rebalancing) can be nullified by a malicious attacker who can steal the excess tokens.
Bahurum
medium
Missing check on
accountinPerpDepository.rebalance()Summary
in
PerpDepository.rebalance()the input parameteraccountcan be set by the caller without restriction.Vulnerability Detail
accountis fed to_rebalanceNegativePnlWithSwap()where it is used to:quoteTokenfrom to pay the shortfall from it ifshortFallis positivequoteTokento send the excess ifshortFallis negativeWhen Alice calls
rebalanceLite(), she must approve first thePerpDepositorywithquoteToken. If afterrebalanceLite()is called there is some residual approval, thenrebalance()can be called by Anyone passing Alice's address asaccountto make Alice pay for the shortfall.Also, an attacker could simulate calls to
rebalance()to know when theShorfallis negative and callrebalance()whith its address asaccountto get the excess tokens after rebalancing.Impact
Users with residual approval can be forced to pay for the cost of rebalancing, also the benefits of potentially having a negative shortfall (excess tokens after rebalancing) can be nullified by a malicious attacker who can steal the excess tokens.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L446-L453
Tool used
Manual Review
Recommendation
Rebalance should be some fixed protocol owned address that allows for paying the shortfall.
Duplicate of #288