Closed sherlock-admin closed 1 year ago
SanketKogekar
medium
onlyPartyB
AccountFaucer.transferAllocation
The modifier onlyPartyB is not used on function AccountFaucer.transferAllocation
The transferAllocation function which is meant for PartyB to transfer their allocated amount, can be called by any user.
transferAllocation
Not sure if would cause loss of funds in any way, but looks like something that the developer missed to do.
*Though in case the function is expected to be used by PartyA , then it clearly misses the following check in AccountFacetImpl.transferAllocation:
AccountFacetImpl.transferAllocation
require( !MAStorage.layout().liquidationStatus[quote.partyA], "LibQuote: PartyA isn't solvent" );
https://github.com/sherlock-audit/2023-06-symmetrical/blob/6d2b64b6732fcfbd07c8217897dd233dbb6cd1f5/symmio-core/contracts/facets/Account/AccountFacet.sol#L104
Manual Review
Change the function code to:
function transferAllocation( uint256 amount, address origin, address recipient, SingleUpnlSig memory upnlSig ) external whenNotPartyBActionsPaused onlyPartyB {
SanketKogekar
medium
Missing modifier
onlyPartyB
onAccountFaucer.transferAllocation
Summary
The modifier
onlyPartyB
is not used on functionAccountFaucer.transferAllocation
Vulnerability Detail
The
transferAllocation
function which is meant for PartyB to transfer their allocated amount, can be called by any user.Impact
Not sure if would cause loss of funds in any way, but looks like something that the developer missed to do.
*Though in case the function is expected to be used by PartyA , then it clearly misses the following check in
AccountFacetImpl.transferAllocation
:Code Snippet
https://github.com/sherlock-audit/2023-06-symmetrical/blob/6d2b64b6732fcfbd07c8217897dd233dbb6cd1f5/symmio-core/contracts/facets/Account/AccountFacet.sol#L104
Tool used
Manual Review
Recommendation
Change the function code to: