sherlock-audit / 2023-06-symmetrical-judging

5 stars 4 forks source link

SanketKogekar - Missing modifier `onlyPartyB` on `AccountFaucer.transferAllocation` #303

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

SanketKogekar

medium

Missing modifier onlyPartyB on AccountFaucer.transferAllocation

Summary

The modifier onlyPartyB is not used on function AccountFaucer.transferAllocation

Vulnerability Detail

The transferAllocation function which is meant for PartyB to transfer their allocated amount, can be called by any user.

Impact

Not sure if would cause loss of funds in any way, but looks like something that the developer missed to do.

*Though in case the function is expected to be used by PartyA , then it clearly misses the following check in AccountFacetImpl.transferAllocation:

require(
  !MAStorage.layout().liquidationStatus[quote.partyA],
  "LibQuote: PartyA isn't solvent"
);

Code Snippet

https://github.com/sherlock-audit/2023-06-symmetrical/blob/6d2b64b6732fcfbd07c8217897dd233dbb6cd1f5/symmio-core/contracts/facets/Account/AccountFacet.sol#L104

Tool used

Manual Review

Recommendation

Change the function code to:

function transferAllocation(
        uint256 amount,
        address origin,
        address recipient,
        SingleUpnlSig memory upnlSig
    ) external whenNotPartyBActionsPaused onlyPartyB {