Unrestricted Access to batchUpdateAccountToken Allows Unauthorized Token Balance Modification
Summary
The vulnerability lies in the batchUpdateAccountToken function. This function lacks proper access control, allowing any user to call it and potentially manipulate their own or other users' token balances. This issue can lead to draining the protocol's funds or causing a griefing attack by modifying other users' balances.
Vulnerability Detail
Here is a simple scenario
Bob deposit 100 sol
Bob calls batchUpdateAccountToken with params sol and 100
function batchUpdateAccountToken(AssetsProcess.UpdateAccountTokenParams calldata params) external override {
AddressUtils.validEmpty(params.account);
AssetsProcess.updateAccountToken(params);
}
this executes updateAccountToken in AssetsProcess.sol
which executes
if (params.changedTokenAmounts[i] > 0) {
accountProps.addToken(params.tokens[i], params.changedTokenAmounts[i].toUint256());
accountProps.repayLiability(params.tokens[i]);
}
which will increase Bob's of SOL with another 100 token
Bob can either use that as new margin for his positions which can lead to him not liquidated
withdraw the new funds leading to him draining the protocol reserve
he can use the same strategy to repay liabilities and borrow as much as he needs from the protocol.
Another Scenario
Alice deposits 100 sol
Alice execute a withdraw requests
Attacker frontrun the withdraw request and call batchUpdateAccountToken on Alice's behalf and reduce her sol balance by 100
this will lead to her balance being 0 leading to the withdraw being reverted and her losing funds
0xPwnd
High
Unrestricted Access to batchUpdateAccountToken Allows Unauthorized Token Balance Modification
Summary
The vulnerability lies in the batchUpdateAccountToken function. This function lacks proper access control, allowing any user to call it and potentially manipulate their own or other users' token balances. This issue can lead to draining the protocol's funds or causing a griefing attack by modifying other users' balances.
Vulnerability Detail
Here is a simple scenario
batchUpdateAccountToken
with params sol and 100updateAccountToken
inAssetsProcess.sol
Another Scenario
batchUpdateAccountToken
on Alice's behalf and reduce her sol balance by 100Impact
Loss of funds for both users and protocol
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L68-L71
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L179-L193
Tool used
Manual Review
Recommendation
Implement checks on the
batchUpdateAccountToken
Duplicate of #28