Anyone may swap any user's quote tokens for base tokens if that user has approved PerpDepository.sol to spend quote tokens
Summary
A malicious user could call the rebalanceLite function in PerpDepository.sol and specify any account address that has given approval to the depository. This may result in the account losing their quote tokens in exchange for base tokens.
Vulnerability Detail
The rebalanceLite function allows any account to be specified that has approved the PerpDepository.sol contract.
Since only negative PnL rebalances are allowed, the _rebalanceNegativePnlLite function is called where the account must provide all quote tokens for the rebalance and receives the base tokens returned in the swap.
The account used in rebalanceLite could have there quoteTokens exchanged for baseTokens. If this occurs during a time of high volatility, the account may suffer a loss.
dipp
high
Anyone may swap any user's quote tokens for base tokens if that user has approved
PerpDepository.sol
to spend quote tokensSummary
A malicious user could call the
rebalanceLite
function inPerpDepository.sol
and specify anyaccount
address that has given approval to the depository. This may result in the account losing their quote tokens in exchange for base tokens.Vulnerability Detail
The
rebalanceLite
function allows anyaccount
to be specified that has approved thePerpDepository.sol
contract.Since only negative PnL rebalances are allowed, the
_rebalanceNegativePnlLite
function is called where theaccount
must provide all quote tokens for the rebalance and receives the base tokens returned in the swap.Impact
The
account
used inrebalanceLite
could have there quoteTokens exchanged for baseTokens. If this occurs during a time of high volatility, theaccount
may suffer a loss.Code Snippet
PerpDepository.sol:rebalanceLite#L597-L602
PerpDepository.sol:_rebalanceNegativePnlLite#L615-L644
Tool used
Manual Review
Recommendation
Consider using
msg.sender
instead ofaccount
in therebalanceLite
function.Duplicate of #288