The quoteAsset could have external positions and still be traded
Summary
Components can not have any external positions if they are involved in an auction since the default position could impact the safety of the external position. This is true for all assets traded in the auction module other than the quoteAsset. There is no check that the quoteAsset does not have an external position.
Vulnerability Detail
In startRebalance() it is checked that a components does not have any external positions
for (uint256 i = 0; i < allComponents.length; i++) {
require(!_setToken.hasExternalPosition(allComponents[i]), "External positions not allowed");
executionInfo[_setToken][IERC20(allComponents[i])] = allAuctionParams[i];
}
but there is no check that the quoteAsset does not have any external positions. This means that the auction could manipulate the default position of a component with external positions. This could lead to serious issues depending on the external position.
Impact
Manipulation of the default position of components with external positions. This is prohibited for all other components involved in the auction other than for the quoteAsset since this can lead to security issues in the external position.
qandisa
medium
The quoteAsset could have external positions and still be traded
Summary
Components can not have any external positions if they are involved in an auction since the default position could impact the safety of the external position. This is true for all assets traded in the auction module other than the quoteAsset. There is no check that the quoteAsset does not have an external position.
Vulnerability Detail
In
startRebalance()it is checked that a components does not have any external positionsbut there is no check that the quoteAsset does not have any external positions. This means that the auction could manipulate the default position of a component with external positions. This could lead to serious issues depending on the external position.
Impact
Manipulation of the default position of components with external positions. This is prohibited for all other components involved in the auction other than for the quoteAsset since this can lead to security issues in the external position.
Code Snippet
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L756
Tool used
Manual Review
Recommendation
Add a check that the quoteToken does not have an external position similar to how this is checked for all other components.