Closed github-actions[bot] closed 1 year ago
This is a known condition. rebalanceLite
is not meant to be a profitable call. It is meant to be called by a team account/bot. However, there is no reason to make it a private call as there is no risk to the protocol by keeping this open, so anyone can call it.
GimelSec
medium
No one will call
rebalanceLite
if the caller is unable to get more moneySummary
No one will call
rebalanceLite
if the caller/msg.sender is unable to get more money.Vulnerability Detail
In
rebalanceLite()
, users will transferquoteToken
into it, place PerpOrder, and getassetToken
back.If the value of
assetToken
is not higher than the value ofquoteToken
, users will not want to callrebalanceLite()
.In smart contracts, it’s easy for users to revert the transaction when
the value of assetToken < the value of quoteToken
. Anyone can surely get higher value / more money when callingrebalanceLite()
, and avoid losing money.Impact
No one will call
rebalanceLite()
when users are unable to get more money, only the owner will callrebalanceLite()
and pay the cost of the loss.Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L597-L644
Tool used
Manual Review
Recommendation
Use a treasury account and hard-code the account address or use the modifier onlyOwner on
rebalanceLite()
.