`Force Close Minimum Signature Period` might be skipped when `closePrice` is different than `sig.averagePrice`.

Summary

The protocol has a named force close minimum signature period to ensure both parties agree on the final state before closing.
And these period should be elapsed regardless of whether closePrice is equal to sig.averagePrice.
But these period might be not elapsed when closePrice is different than sig.averagePrice.

Vulnerability Detail

For about PartyA's forceClosePosition,
- "This mechanism comes into play when a hedger does not fill a close order at the specified price." [https://docs.symm.io/protocol-architecture/technical-documentation/contracts-documentation-0.8.2/facets/partya-facet#forcecloseposition]
- It means it requires some Period that ensures both parties agree on the final state before closing.
On PartyAFacetImpl#forceClosePosition(),
- maLayout.forceCloseMinSigPeriod (the minimum signature period required for force closing of positions) is checked only when closePrice is equal to sig.averagePrice.
- It means the minimum signature period might be not elapsed when closePrice is different thansig.averagePrice.

function forceClosePosition(
    uint256 quoteId,
    HighLowPriceSig memory sig
) internal returns (
    uint256 closePrice, 
    bool isPartyBLiquidated, 
    int256 upnlPartyB, 
    uint256 partyBAllocatedBalance
) {
    ...
    if (closePrice == sig.averagePrice) //<---------- @audit
        require(
            sig.endTime - sig.startTime >= maLayout.forceCloseMinSigPeriod, 
            "PartyAFacet: Invalid signature period"
        );
    }
    ...
}

But for about forceCloseMinSigPeriod,
- It is an independent mechanism how closePrice is determined.
- It focuses on the integrity of the state and ensuring both parties agree on the final state before closing.

Impact

Force Close Minimum Signature Period might be not elapsed when closePrice is different than sig.averagePrice and It happens protocol violation.

Code Snippet

https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/PartyA/PartyAFacetImpl.sol#L243

Tool used

Manual Review

Recommendation

Please update PartyAFacetImpl#forceClosePosition() as follows.

    function forceClosePosition(
        uint256 quoteId,
        HighLowPriceSig memory sig
    ) internal returns (
        uint256 closePrice, 
        bool isPartyBLiquidated, 
        int256 upnlPartyB, 
        uint256 partyBAllocatedBalance
    ) {
        ...
--      if (closePrice == sig.averagePrice)
            require(
                sig.endTime - sig.startTime >= maLayout.forceCloseMinSigPeriod, 
                "PartyAFacet: Invalid signature period"
            );
--      }
        ...
    }

sherlock-audit / 2024-06-symmetrical-update-2-judging

unix515 - `Force Close Minimum Signature Period` might be skipped when `closePrice` is different than `sig.averagePrice`. #18

`Force Close Minimum Signature Period` might be skipped when `closePrice` is different than `sig.averagePrice`.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2024-06-symmetrical-update-2-judging

unix515 - `Force Close Minimum Signature Period` might be skipped when `closePrice` is different than `sig.averagePrice`. #18

Force Close Minimum Signature Period might be skipped when closePrice is different than sig.averagePrice.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

`Force Close Minimum Signature Period` might be skipped when `closePrice` is different than `sig.averagePrice`.