High

batchUpdateAccountToken can set token balance arbitrarily

Summary

batchUpdateAccountToken can add token arbitrarily.

Vulnerability Detail

The batchUpdateAccountToken function allows arbitrary setting of token balances.

/// @dev Batch update account token
    /// @param params Parameters for updating account token
    function batchUpdateAccountToken(AssetsProcess.UpdateAccountTokenParams calldata params) external override {
        AddressUtils.validEmpty(params.account);
        AssetsProcess.updateAccountToken(params);
    }

  /// @dev Updates the token balances of an account
    /// @param params UpdateAccountTokenParams
    function updateAccountToken(UpdateAccountTokenParams calldata params) external {
        Account.Props storage accountProps = Account.load(params.account);
        accountProps.checkExists();
        for (uint256 i; i < params.tokens.length; i++) {
            if (params.changedTokenAmounts[i] == 0) {
                continue;
            }
            if (params.changedTokenAmounts[i] > 0) {
                accountProps.addToken(params.tokens[i], params.changedTokenAmounts[i].toUint256());
                accountProps.repayLiability(params.tokens[i]);
            } else {
                accountProps.subToken(params.tokens[i], (-params.changedTokenAmounts[i]).toUint256());
            }
        }
    }

Impact

An attacker can arbitrarily set the token balances of any account, leading to unauthorized manipulation of account balances.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L68 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L179

Tool used

Manual Review

Recommendation

Remove the batchUpdateAccountToken function to prevent arbitrary token balance modifications.

Duplicate of #28

sherlock-audit / 2024-05-elfi-protocol-judging

1337 - batchUpdateAccountToken can set token balance arbitrarily #281