Closed sherlock-admin3 closed 4 months ago
1337
High
batchUpdateAccountToken can add token arbitrarily.
batchUpdateAccountToken
The batchUpdateAccountToken function allows arbitrary setting of token balances.
/// @dev Batch update account token /// @param params Parameters for updating account token function batchUpdateAccountToken(AssetsProcess.UpdateAccountTokenParams calldata params) external override { AddressUtils.validEmpty(params.account); AssetsProcess.updateAccountToken(params); }
/// @dev Updates the token balances of an account /// @param params UpdateAccountTokenParams function updateAccountToken(UpdateAccountTokenParams calldata params) external { Account.Props storage accountProps = Account.load(params.account); accountProps.checkExists(); for (uint256 i; i < params.tokens.length; i++) { if (params.changedTokenAmounts[i] == 0) { continue; } if (params.changedTokenAmounts[i] > 0) { accountProps.addToken(params.tokens[i], params.changedTokenAmounts[i].toUint256()); accountProps.repayLiability(params.tokens[i]); } else { accountProps.subToken(params.tokens[i], (-params.changedTokenAmounts[i]).toUint256()); } } }
An attacker can arbitrarily set the token balances of any account, leading to unauthorized manipulation of account balances.
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L68 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L179
Manual Review
Remove the batchUpdateAccountToken function to prevent arbitrary token balance modifications.
Duplicate of #28
1337
High
batchUpdateAccountToken can set token balance arbitrarily
Summary
batchUpdateAccountTokencan add token arbitrarily.Vulnerability Detail
The batchUpdateAccountToken function allows arbitrary setting of token balances.
Impact
An attacker can arbitrarily set the token balances of any account, leading to unauthorized manipulation of account balances.
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L68 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L179
Tool used
Manual Review
Recommendation
Remove the batchUpdateAccountToken function to prevent arbitrary token balance modifications.
Duplicate of #28