search

sherlock-audit / 2023-06-symmetrical-judging

5 stars 4 forks source link

AkshaySrivastav - The protocol allows opening a max possible position but prevents the user from keeping it healthy #334

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

AkshaySrivastav

medium

The protocol allows opening a max possible position but prevents the user from keeping it healthy

Summary

The protocol allows a partyA to allocate funds upto balanceLimitPerUser and open max position but after that it prevents that user from keeping that position healthy by allocating more collateral.

Vulnerability Detail

The AccountFacetImpl.allocate looks like this 

    function allocate(uint256 amount) internal {
        AccountStorage.Layout storage accountLayout = AccountStorage.layout();
        require(
            accountLayout.allocatedBalances[msg.sender] + amount <=
            GlobalAppStorage.layout().balanceLimitPerUser,
            "AccountFacet: Allocated balance limit reached"
        );
        require(accountLayout.balances[msg.sender] >= amount, "AccountFacet: Insufficient balance");
        accountLayout.partyANonces[msg.sender] += 1;
        accountLayout.balances[msg.sender] -= amount;
        accountLayout.allocatedBalances[msg.sender] += amount;
    }

As can be seen above, a partyA can allocate upto balanceLimitPerUser and open positions with that allocated balance. However if the health factor of those postions depletes then the partyA cannot restore the heath of those positions by allocating more funds.

Impact

Due to this a max allocated and max leveraged user becomes susceptible to liquidation forcefully.

Note that, the issue and scenario reported in #15 can also be combined with this issue to make the situation even worse for a particular partyA.

Code Snippet

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L41-L52

Tool used

Manual Review

Recommendation

User must be allowed to top up his allocated balance to protect his positions from getting liquidated and loosing funds.

A margin can also be introduced, for eg, a user only allocate a maximum of 90% of balanceLimitPerUser.

Duplicate of #107