search

sherlock-audit / 2024-05-elfi-protocol-judging

11 stars 7 forks source link

pashap9990 - Users cannot withdraw their assets if admin omit specific token from trade token list #196

Closed sherlock-admin2 closed 3 months ago

sherlock-admin2 commented 3 months ago

pashap9990

Medium

Users cannot withdraw their assets if admin omit specific token from trade token list

Summary

Admin maybe decide to omit specific token from trade token list and this can have many reason and when admin does this action, users cannot withdraw their token

Vulnerability Detail

when a user makes a withdraw request and after that, the keeper executes the user's request executeWithdraw function calls the executeWithdraw function after withdraw function is called and the withdraw function checks token supports collateral or not and if the token does not support collateral doesn't allow withdraw process continues and this causes the withdraw process stops

Impact

Users cannot withdraw their assets if admin omit specific token from trade token list

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L126 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/storage/AppTradeConfig.sol#L84

Tool used

Manual Review

Recommendation

    function withdraw(uint256 requestId, WithdrawParams memory params) public {
        if (params.amount == 0) {
            revert Errors.AmountZeroNotAllowed();
        }
-        if (!AppTradeTokenConfig.getTradeTokenConfig(params.token).isSupportCollateral) {
-            revert Errors.OnlyCollateralSupported();
        }
nevillehuang commented 3 months ago

Invalid, admins trusted per contest READ.ME