Suspended partyB can use another partyA to transfer fraudlent funds via artificial profit/loss
Summary
If any address is suspended due to fraud or whatever other reason, it is supposed to not be able to do anything with the funds which are in the account. For this reason, withdraw, withdrawTo and sendQuote (for partyA) are reverted if account is suspended. However, if partyB is suspended, it can still transfer funds out via a new partyA controlled by the same user, which can sendQuote, suspended partyB can then lockQuote and openPosition with openPrice such that partyB is in immediate high loss and partyA is in immediate high profit. The position is then immediately closed, effectively transferring funds from suspended partyB to partyA.
This makes it possible for suspended partyB to move funds around and potentially withdraw the fraudlent funds, which it is not supposed to be able to do.
(as well as the other functions which allow to lock and open positions, such as: allocateAndLockQuote, lockAndOpenQuote, allocateAndLockAndOpenQuote)
Since any user can create a new partyA account, suspended partyB can open positions via controlled partyA, thus allowing it to move funds.
Impact
If partyB is able to do something fraudlent, but it suspended before it was able to withdraw them, it will still be able to move funds to any other partyA, thus potentially making it possible to withdraw fraudelnt funds avoiding the account suspension.
Code Snippet
Tool used
Manual Review
Recommendation
Add notSuspended(msg.sender) to all partyB functions related to opening a position:
panprog
medium
Suspended partyB can use another partyA to transfer fraudlent funds via artificial profit/loss
Summary
If any address is suspended due to fraud or whatever other reason, it is supposed to not be able to do anything with the funds which are in the account. For this reason,
withdraw
,withdrawTo
andsendQuote
(for partyA) are reverted if account is suspended. However, if partyB is suspended, it can still transfer funds out via a new partyA controlled by the same user, which cansendQuote
, suspended partyB can thenlockQuote
andopenPosition
withopenPrice
such that partyB is in immediate high loss and partyA is in immediate high profit. The position is then immediately closed, effectively transferring funds from suspended partyB to partyA.This makes it possible for suspended partyB to move funds around and potentially withdraw the fraudlent funds, which it is not supposed to be able to do.
Vulnerability Detail
lockQuote
is allowed for suspended partyB:https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/PartyB/PartyBFacet.sol#L17-L20
openPosition
is also allowed for suspended partyB:https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/PartyB/PartyBFacet.sol#L150-L155
(as well as the other functions which allow to lock and open positions, such as:
allocateAndLockQuote
,lockAndOpenQuote
,allocateAndLockAndOpenQuote
)Since any user can create a new partyA account, suspended partyB can open positions via controlled partyA, thus allowing it to move funds.
Impact
If partyB is able to do something fraudlent, but it suspended before it was able to withdraw them, it will still be able to move funds to any other partyA, thus potentially making it possible to withdraw fraudelnt funds avoiding the account suspension.
Code Snippet
Tool used
Manual Review
Recommendation
Add
notSuspended(msg.sender)
to all partyB functions related to opening a position:lockQuote
openPosition
allocateAndLockQuote
lockAndOpenQuote
allocateAndLockAndOpenQuote
Duplicate of #229