0xmuxyz - Lack of access control modifier on the Product#`closeTakeFor()` and the Product#`closeMakeFor()`, which allow a malicious user to be freely able to close any existing user's Maker/Taker position #171
Lack of access control modifier on the Product#closeTakeFor() and the Product#closeMakeFor(), which allow a malicious user to be freely able to close any existing user's Maker/Taker position
Summary
Lack of access control modifier on the Product#closeTakeFor() and the Product#closeMakeFor(), which allow a malicious user to be freely able to close any existing user's Maker/Taker position.
/**
* @notice Closes a taker position for `msg.sender`
* @param amount Amount of the position to close
*/
function closeTake(UFixed18 amount) external {
closeTakeFor(msg.sender, amount); /// @audit
}
/**
* @notice Closes a taker position for `account`. Deducts position fee based on notional value at `latestVersion`
* @param account Account to close the position for
* @param amount Amount of the position to close
*/
function closeTakeFor(address account, UFixed18 amount)
public /// @audit
nonReentrant
notPaused
onlyAccountOrMultiInvoker(account)
settleForAccount(account)
closeInvariant(account)
liquidationInvariant(account)
{
_closeTake(account, amount); /// @audit
}
/**
* @notice Closes a maker position for `msg.sender`
* @param amount Amount of the position to close
*/
function closeMake(UFixed18 amount) external {
closeMakeFor(msg.sender, amount); /// @audit
}
/**
* @notice Closes a maker position for `account`. Deducts position fee based on notional value at `latestVersion`
* @param account Account to close the position for
* @param amount Amount of the position to close
*/
function closeMakeFor(address account, UFixed18 amount)
public /// @audit
nonReentrant
notPaused
onlyAccountOrMultiInvoker(account)
settleForAccount(account)
takerInvariant
closeInvariant(account)
liquidationInvariant(account)
{
_closeMake(account, amount); /// @audit
}
The functions to close the taker/maker position is supposed to be called by the position owner. Also, only a taker/maker position of the caller (msg.sender) is supposed to be able to be closed.
However, the Product#closeTakeFor() and the Product#closeMakeFor() above can be called by any user (including a malicious user) because of that the access control modifier on both functions would be "public".
Therefore, any user can call the the Product#closeTakeFor() or the Product#closeMakeFor() and assign any existing address into the account parameter of them.
This allow a malicious user to be freely able to close any existing user's taker/maker position.
Impact
This allow a malicious user to be freely able to close any existing user's taker/maker position.
0xmuxyz
high
Lack of access control modifier on the Product#
closeTakeFor()
and the Product#closeMakeFor()
, which allow a malicious user to be freely able to close any existing user's Maker/Taker positionSummary
Lack of access control modifier on the Product#
closeTakeFor()
and the Product#closeMakeFor()
, which allow a malicious user to be freely able to close any existing user's Maker/Taker position.Vulnerability Detail
When a taker position would be closed, the Product#
closeTake()
would be called. Within the Product#closeTake()
, the Product#closeTakeFor()
would be called like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L238Within the Product#
closeTakeFor()
, the Product#_closeTake()
would be called in order to close theamount
of the taker position that theaccount
has like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L255Within the Product#
_closeTake()
,amount
of the taker position that theaccount
has would be closed like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L258-L272Also, when a maker position would be closed, the Product#
closeMake()
would be called. Within the Product#closeMake()
, the Product#closeMakeFor()
would be called like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L320Within the Product#
closeMakeFor()
, the Product#_closeMake()
would be called in order to close theamount
of the maker position that theaccount
like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L338Within the Product#
_closeMake()
,amount
of the maker position that theaccount
has would be closed like this: https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/Product.sol#L338The functions to close the taker/maker position is supposed to be called by the position owner. Also, only a taker/maker position of the caller (
msg.sender
) is supposed to be able to be closed.However, the Product#
closeTakeFor()
and the Product#closeMakeFor()
above can be called by any user (including a malicious user) because of that the access control modifier on both functions would be"public"
.Therefore, any user can call the the Product#
closeTakeFor()
or the Product#closeMakeFor()
and assign any existing address into theaccount
parameter of them. This allow a malicious user to be freely able to close any existing user's taker/maker position.Impact
This allow a malicious user to be freely able to close any existing user's taker/maker position.
Code Snippet
Tool used
Manual Review
Recommendation
Consider changing the access control modifier on the Product#
closeTakeFor()
and the Product#closeMakeFor()
frompublic
tointernal
.