missing authorization and not forcing the user to transfer funds lead to loss of funds
Summary
missing an authorization check and not forcing the user to transfer funds leads to updating user balance without transferring funds
Vulnerability Detail
the function batchUpdateAccountToken is used to updates a list of tokens in the account but due to missing authorization check anyone can pass params.account with any account they want and manipulate the account balance of the others and it also doesn't force the user to transfer funds but still update the user balance with the specified amount which will lead to lose of funds anyone can call and pass a fake amount and try to withdraw it and even he can subtract other people account
Impact
loss of fund
manipulating others people account balacne
jah
High
missing authorization and not forcing the user to transfer funds lead to loss of funds
Summary
missing an authorization check and not forcing the user to transfer funds leads to updating user balance without transferring funds
Vulnerability Detail
the function batchUpdateAccountToken is used to updates a list of tokens in the account but due to missing authorization check anyone can pass params.account with any account they want and manipulate the account balance of the others and it also doesn't force the user to transfer funds but still update the user balance with the specified amount which will lead to lose of funds anyone can call and pass a fake amount and try to withdraw it and even he can subtract other people account
Impact
loss of fund manipulating others people account balacne
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L70
Tool used
Manual Review
Recommendation
force the user to transfer fund and let only the user updated his own account
Duplicate of #28