Anyone can call BalancedVault::syncAccount on behalf of another user
function syncAccount(address account) public {
(EpochContext memory context, ) = _settle(account);
_rebalance(context, UFixed18Lib.ZERO);
}
A malicious person can call this function specifying another user's address to disadvantage them at times when it would lead them to make a loss.
This is made possible because the update of prices is predictable. The malicious user could therefore time unfavorable price movements to disadvantage a user.
levi
medium
Griefing attack against users in
BalancedVault
Summary
Griefing attack against users in
BalancedVault
Vulnerability Detail
Anyone can call
BalancedVault::syncAccount
on behalf of another userA malicious person can call this function specifying another user's address to disadvantage them at times when it would lead them to make a loss.
This is made possible because the update of prices is predictable. The malicious user could therefore time unfavorable price movements to disadvantage a user.
Impact
Griefing of vault users
Code Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L146-L149
Tool used
Manual Review
Recommendation
Enforce a check to ensure that
msg.sender == account
in thesyncAccount(address account)
function.