Closed sherlock-admin closed 1 year ago
cergyk
high
A malicious partyB can reuse a SingleUpnlSignature passed during liquidation, and profit illigitemately
During a liquidation of partyB, a muon signature is used: https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/liquidation/LiquidationFacetImpl.sol#L240-L244
However, since the partyB nonces are not incremented, this signature can be reused during funds allocation/deallocation, although partyB's funds have been already updated by the liquidation: https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacet.sol#L84-L91
allocation/deallocation
If upnl in the signature is positive, this means that the partyB receives more funds than due, effectively stealing from the protocol
Theft of funds from the protocol by a partyB
Manual Review
Increment partyB's nonces during liquidation
Duplicate of #190
cergyk
high
PartyB nonce is not incremented during liquidation and can lead to signature reuse
Summary
A malicious partyB can reuse a SingleUpnlSignature passed during liquidation, and profit illigitemately
Vulnerability Detail
During a liquidation of partyB, a muon signature is used: https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/liquidation/LiquidationFacetImpl.sol#L240-L244
However, since the partyB nonces are not incremented, this signature can be reused during funds
allocation/deallocation, although partyB's funds have been already updated by the liquidation: https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacet.sol#L84-L91If upnl in the signature is positive, this means that the partyB receives more funds than due, effectively stealing from the protocol
Impact
Theft of funds from the protocol by a partyB
Code Snippet
Tool used
Manual Review
Recommendation
Increment partyB's nonces during liquidation
Duplicate of #190