Validation of Muon signatures can be frontrunned by increasing nonces
Summary
The validation of Muon network signatures depend upon nonces of users. Anyone can do empty deposits to increase the nonce so that the signature verification fails.
Vulnerability Detail
By doing 0 amount deposit any user can increase his nonce value.
The nonce values are read by Muon network before signing the requested data. The nonce value is also read by Symmetrical protocol during signature validation. In case there is any mismatch between the nonces the signature validation fails.
The functions impacted are:
verifyPartyAUpnl
verifyPartyAUpnlAndPrice
verifyPartyBUpnl
verifyPairUpnlAndPrice
verifyPairUpnl
These functions are used throughout the protocol, specially in liquidations. Change in user's nonce will result in liquidation txns getting reverted.
Impact
Scenario:
A partyA position becomes unhealthy so a liquidator tries to liquidate partyA.
PartyA sees the pending liquidation txn and frontruns it to perform an empty deposit. This increases partyA's nonce (partyANonces).
So now when liquidator's txn gets executed it reverts due to signature validation failure.
PartyA does not get liquidated.
The attack can be performed to DoS other crucial protocol operations by both partyA and partyB.
Fixing this issue could be tricky as the protocol heavily relies on Muon signatures and user nonces. Maybe not incrementing user nonce where that is not crucial (like deposits) could be a possible solution.
AkshaySrivastav
high
Validation of Muon signatures can be frontrunned by increasing nonces
Summary
The validation of Muon network signatures depend upon nonces of users. Anyone can do empty deposits to increase the nonce so that the signature verification fails.
Vulnerability Detail
By doing 0 amount deposit any user can increase his nonce value.
The nonce values are read by Muon network before signing the requested data. The nonce value is also read by Symmetrical protocol during signature validation. In case there is any mismatch between the nonces the signature validation fails.
The functions impacted are:
These functions are used throughout the protocol, specially in liquidations. Change in user's nonce will result in liquidation txns getting reverted.
Impact
Scenario:
partyANonces).The attack can be performed to DoS other crucial protocol operations by both partyA and partyB.
Code Snippet
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L19-L25
Tool used
Manual Review
Recommendation
Fixing this issue could be tricky as the protocol heavily relies on Muon signatures and user nonces. Maybe not incrementing user nonce where that is not crucial (like deposits) could be a possible solution.
Duplicate of #233