GimelSec - No one will call `rebalanceLite` if the caller is unable to get more money

[github-actions[bot]]

GimelSec

medium

No one will call rebalanceLite if the caller is unable to get more money

Summary

No one will call rebalanceLite if the caller/msg.sender is unable to get more money.

Vulnerability Detail

In rebalanceLite(), users will transfer quoteToken into it, place PerpOrder, and get assetToken back.

If the value of assetToken is not higher than the value of quoteToken, users will not want to call rebalanceLite().

In smart contracts, it’s easy for users to revert the transaction when the value of assetToken < the value of quoteToken. Anyone can surely get higher value / more money when calling rebalanceLite(), and avoid losing money.

Impact

No one will call rebalanceLite() when users are unable to get more money, only the owner will call rebalanceLite() and pay the cost of the loss.

Code Snippet

https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L597-L644

Tool used

Manual Review

Recommendation

Use a treasury account and hard-code the account address or use the modifier onlyOwner on rebalanceLite().

[WarTech9]

This is a known condition. rebalanceLite is not meant to be a profitable call. It is meant to be called by a team account/bot. However, there is no reason to make it a private call as there is no risk to the protocol by keeping this open, so anyone can call it.