Closed sherlock-admin2 closed 1 week ago
1 comment(s) were left on this issue during the judging contest.
Hash01011122 commented:
Low/Med vulnerability, Highly hypothetical scenario: Alice colludes with a PartyB and an affiliator. Technically, PartyA is permissionless, so nothing prevents PartyB or affiliator from being a PartyA at the same time. Thus, it is possible that PartyB or affiliator also owns a PartyA account that allows them to exploit this issue
xiaoming90
Medium
Two restrictions (
deallocateDebounceTime
anddeallocateCooldown
) can be bypassedSummary
The two restrictions (
deallocateDebounceTime
anddeallocateCooldown
) are important security properties to enforce within the protocol. However, they can be bypassed. In the event of an attack, malicious users could bypass these restrictions to quickly deallocate multiple times within a short period of time, potentially draining the protocol.Vulnerability Detail
Per the documentation, a new condition to enforce a debounce time between deallocation requests to prevent too frequent deallocations has been added at Line 52 below.
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L52
However, it was found that there is a workaround to bypass this restriction. Assume that Alice (PartyA) wants to deallocate some funds and withdraw them to her wallet address. However, Alice is restricted by the
deallocateDebounceTime
as she has just deallocated a while back.In addition, Alice is also restricted by the
deallocateCooldown
at Line 30 below, which prevents Alice from withdrawing the funds out of the protocol shortly after deallocating.https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L30
Alice could bypass these two restrictions (
deallocateDebounceTime
anddeallocateCooldown
) via the following workaround:withdraw
function to withdraw the funds immediately without any cooldown. This is because when the balance is accumulated to affiliator's account, theaccountLayout.withdrawCooldown[user]
was not updated.https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/PartyB/PartyBFacetImpl.sol#L99
Impact
The two restrictions (
deallocateDebounceTime
anddeallocateCooldown
) are important security properties to enforce within the protocol. However, they can be bypassed. In the event of an attack, malicious users could bypass these restrictions to quickly deallocate multiple times within a short period of time, potentially draining the protocol.Code Snippet
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L52
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L30
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/PartyB/PartyBFacetImpl.sol#L99
Tool used
Manual Review
Recommendation
Whenever an account's balance is updated, the
accountLayout.withdrawCooldown[user]
should be updated to the current timestamp to ensure that no one can abuse this bypass the cooldown, and to ensure that the recipient is subjected to the relevant cooldown period.