Closed sherlock-admin closed 1 year ago
SanketKogekar
medium
onlyPartyB
AccountFaucer.transferAllocation
The modifier onlyPartyB is not used on function AccountFaucer.transferAllocation
The transferAllocation function which is meant for PartyB to transfer their allocated amount, can be called by any user.
transferAllocation
Not sure if would cause loss of funds in any way, but looks like something that the developer missed to do.
*Though in case the function is expected to be used by PartyA , then it clearly misses the following check in AccountFacetImpl.transferAllocation:
AccountFacetImpl.transferAllocation
require( !MAStorage.layout().liquidationStatus[quote.partyA], "LibQuote: PartyA isn't solvent" );
https://github.com/sherlock-audit/2023-06-symmetrical/blob/6d2b64b6732fcfbd07c8217897dd233dbb6cd1f5/symmio-core/contracts/facets/Account/AccountFacet.sol#L104
Manual Review
Change the function code to:
function transferAllocation( uint256 amount, address origin, address recipient, SingleUpnlSig memory upnlSig ) external whenNotPartyBActionsPaused onlyPartyB {
SanketKogekar
medium
Missing modifier
onlyPartyBonAccountFaucer.transferAllocationSummary
The modifier
onlyPartyBis not used on functionAccountFaucer.transferAllocationVulnerability Detail
The
transferAllocationfunction which is meant for PartyB to transfer their allocated amount, can be called by any user.Impact
Not sure if would cause loss of funds in any way, but looks like something that the developer missed to do.
*Though in case the function is expected to be used by PartyA , then it clearly misses the following check in
AccountFacetImpl.transferAllocation:Code Snippet
https://github.com/sherlock-audit/2023-06-symmetrical/blob/6d2b64b6732fcfbd07c8217897dd233dbb6cd1f5/symmio-core/contracts/facets/Account/AccountFacet.sol#L104
Tool used
Manual Review
Recommendation
Change the function code to: