Open sherlock-admin3 opened 1 month ago
silver_eth
High
this is the check to ensure only authorized can modify a position https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/libs/InvariantLib.sol#L78-L82 hoevere that check is done here https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L501-L502 which calls this https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L77-L88 the issue is anybody can make themselves an extension for an account https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L100-L103
effectively making them an operator thus allowing them to modify a position and withdraw the accouns collateral
Appears to be a duplicate of https://github.com/sherlock-audit/2024-08-perennial-v2-update-3-judging/issues/52
silver_eth
High
There is insufficient access control on updating an account position
this is the check to ensure only authorized can modify a position https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/libs/InvariantLib.sol#L78-L82 hoevere that check is done here https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L501-L502 which calls this https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L77-L88 the issue is anybody can make themselves an extension for an account https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L100-L103
effectively making them an operator thus allowing them to modify a position and withdraw the accouns collateral