safdie - Lack of `require` for quote validity in `lockQuote` allow attackers to attempt to lock already-locked quotes or expired quotes in `PartyBQuoteActionsFacetImpl.sol` #19
Lack of require for quote validity in lockQuote allow attackers to attempt to lock already-locked quotes or expired quotes in PartyBQuoteActionsFacetImpl.sol
Summary
The lockQuote function does not check if the quote is in a valid state before locking (e.g., verifying that the quote is not already locked or in an invalid state). This could allow attackers to attempt to lock already-locked quotes or expired quotes.
Missing quote state check:
There are no checks to ensure that the quote is in a valid state for locking. Quotes should typically be in a specific status (e.g., OPEN, CLOSE_PENDING, etc.) before they can be locked. This could allow a user to lock a quote that is not valid for such an operation.
If a quote is in an invalid state (like CANCELED or EXPIRED), locking it could lead to inconsistent states and potential loss of funds or erroneous behavior in the system.
require(quote.quoteStatus == QuoteStatus.LOCKED || quote.quoteStatus == QuoteStatus.PENDING, "Quote is not in a valid state to lock");
Quote existence:
There should be a check to confirm that the quote with the specified quoteId actually exists. If an attacker attempts to lock a quote that does not exist (e.g., an out-of-bounds ID), it could lead to unexpected behaviors.
require(quoteId < quoteLayout.quotes.length, "Quote does not exist");
Ownership/permissions check:
It might be necessary to check if the caller (msg.sender) is authorized to lock this specific quote. If there’s a lack of permission checks, any party could lock quotes that don’t belong to them, leading to potential misuse.
require(msg.sender == quote.partyB, "Not authorized to lock this quote");
Quote expiry check:
If quotes have a specific deadline, you should check whether the current time exceeds that deadline before allowing a lock operation.
require(block.timestamp <= quote.deadline, "Quote has expired");
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Users could lock quotes that should not be lockable, leading to a mishandling of state and potential fund loss.
Locking an expired or canceled quote could result in unwanted states that the system does not account for.
Without permission checks, users could manipulate quotes that do not belong to them.
PoC
No response
Mitigation
Add the aforementioned require statements to ensure the quote is valid, exists, and the caller has the correct permissions.
safdie
High
Lack of
requirefor quote validity inlockQuoteallow attackers to attempt to lock already-locked quotes or expired quotes inPartyBQuoteActionsFacetImpl.solSummary
The
lockQuotefunction does not check if the quote is in a valid state before locking (e.g., verifying that the quote is not already locked or in an invalid state). This could allow attackers to attempt to lock already-locked quotes or expired quotes.Root Cause
The
lockQuotefunction inPartyBQuoteActionsFacetImpl.solcontract is a crucial point for ensuring the integrity of the system by validating quotes before they are locked. A lack ofrequirestatements for quote validity can lead to several vulnerabilities. https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/PartyBQuoteActions/PartyBQuoteActionsFacetImpl.sol#L23-L31OPEN,CLOSE_PENDING, etc.) before they can be locked. This could allow a user to lock a quote that is not valid for such an operation. If a quote is in an invalid state (likeCANCELEDorEXPIRED), locking it could lead to inconsistent states and potential loss of funds or erroneous behavior in the system.quoteIdactually exists. If an attacker attempts to lock a quote that does not exist (e.g., an out-of-bounds ID), it could lead to unexpected behaviors.msg.sender) is authorized to lock this specific quote. If there’s a lack of permission checks, any party could lock quotes that don’t belong to them, leading to potential misuse.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
PoC
No response
Mitigation
Add the aforementioned require statements to ensure the quote is valid, exists, and the caller has the correct permissions.