search

sherlock-audit / 2024-09-symmio-v0-8-4-update-contest-judging

0 stars 0 forks source link

carpark - The withdraw function didn't do CEI. #32

Closed sherlock-admin3 closed 1 week ago

sherlock-admin3 commented 1 week ago

carpark

Invalid

The withdraw function didn't do CEI.

withdraw function

This withdraw function in https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/a975aafb06cc3dcb9e4bf9b56ceeb4a9f8163503/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L26-L36 didn't CEI. It is very important function because of payable function, but it didn't do a check.

Impact

High

Mitigation

    function withdraw(address user, uint256 amount) internal {
        AccountStorage.Layout storage accountLayout = AccountStorage.layout();
        GlobalAppStorage.Layout storage appLayout = GlobalAppStorage.layout();

+              require( amount <= accountLayout.balances[msg.sender], "AccountFacet: Insufficient balance" );

        require(
            block.timestamp >= accountLayout.withdrawCooldown[msg.sender] + MAStorage.layout().deallocateCooldown,
            "AccountFacet: Cooldown hasn't reached"
        );
        uint256 amountWith18Decimals = (amount * 1e18) / (10 ** IERC20Metadata(appLayout.collateral).decimals());
        accountLayout.balances[msg.sender] -= amountWith18Decimals;
        IERC20(appLayout.collateral).safeTransfer(user, amount);
    }