search

sherlock-audit / 2023-06-symmetrical-judging

5 stars 4 forks source link

josephdara - Unsuspecting partyB users can successfully process a quote sent from a suspended address before suspension #305

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

josephdara

medium

Unsuspecting partyB users can successfully process a quote sent from a suspended address before suspension

Summary

A malicious user can send a quote right before their account is suspended. Once they are suspended, they are locked in but their pending quotes are not cleared away, this poses an issue as unsuspecting partyB users can process the position of a suspended user which should not happen.

Vulnerability Detail

If userA is about to be suspended, they can send a quote with their total available balance which could be fulfilled by any of the approved partyB users in their wish list. Therefore unsuspecting partyB user can begin process the users order.

Impact

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/PartyB/PartyBFacet.sol#L17-L24 https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/PartyB/PartyBFacetImpl.sol#L22-L38

In the functions above, the partyB user can lock the quote for processing, however it does not check that the quote.partyA is suspended.

Code Snippet

    function lockQuote(uint256 quoteId, SingleUpnlSig memory upnlSig, bool increaseNonce) internal {
        QuoteStorage.Layout storage quoteLayout = QuoteStorage.layout();
        AccountStorage.Layout storage accountLayout = AccountStorage.layout();

        Quote storage quote = quoteLayout.quotes[quoteId];
        LibMuon.verifyPartyBUpnl(upnlSig, msg.sender, quote.partyA);
        checkPartyBValidationToLockQuote(quoteId, upnlSig.upnl);
        if (increaseNonce) {
            accountLayout.partyBNonces[quote.partyB][quote.partyA] += 1;
        }
        quote.modifyTimestamp = block.timestamp;
        quote.quoteStatus = QuoteStatus.LOCKED;
        quote.partyB = msg.sender;
        // lock funds for partyB
        accountLayout.partyBPendingLockedBalances[msg.sender][quote.partyA].addQuote(quote);
        quoteLayout.partyBPendingQuotes[msg.sender][quote.partyA].push(quote.id);
    }

Tool used

Manual Review

Recommendation

add the check 

require(!isSuspended(quote.partyA), "USER_SUSPENDED);

to the lock function in the PartyBFacetImpl.sol

Duplicate of #229