It was observed that PartyA can revoke access as long as the revoke cooldown has passed and the ability to revoke access does not expire. As the ability to revoke access does not expire, this gives back the users the freedom to revoke access anytime, resulting in similar issues described in the documentation where PartyB cannot execute certain actions when it expects to do so.
Root Cause
The ability to revoke access does not expire
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
It was observed that PartyA can revoke access as long as the revoke cooldown has passed and the ability to revoke access does not expire. Thus, PartyA could simply execute the proposeToRevokeAccesses function when a new account is created in anticipation of the possibility of access revocation in the future. After the revoke cooldown has passed, this gives PartyA the ability to instantly revoke the access whenever they wish since this ability does not expire.
freedom in revoking access created challenges for hedgers. For instance, hedgers might assume they could sendQuote on behalf of users during the instantOpen process, only to discover their access had been revoked after they had already hedged the position.
As the ability to revoke access does not expire, this gives back the users the freedom to revoke access anytime, This resulted in similar issues described in the documentation where PartyB cannot execute certain actions when it expects to do so, breaking core protocol functionality.
PoC
No response
Mitigation
The ability to revoke access should expire if PartyA does not trigger it within a certain timeframe.
xiaoming90
High
Ability to revoke access does not expire
Summary
It was observed that PartyA can revoke access as long as the revoke cooldown has passed and the ability to revoke access does not expire. As the ability to revoke access does not expire, this gives back the users the freedom to revoke access anytime, resulting in similar issues described in the documentation where PartyB cannot execute certain actions when it expects to do so.
Root Cause
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
It was observed that PartyA can revoke access as long as the revoke cooldown has passed and the ability to revoke access does not expire. Thus, PartyA could simply execute the
proposeToRevokeAccesses
function when a new account is created in anticipation of the possibility of access revocation in the future. After the revoke cooldown has passed, this gives PartyA the ability to instantly revoke the access whenever they wish since this ability does not expire.https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/multiAccount/MultiAccount.sol#L100
Impact
Extracted from the Symm IO v0.8.3 documentation:
As the ability to revoke access does not expire, this gives back the users the freedom to revoke access anytime, This resulted in similar issues described in the documentation where PartyB cannot execute certain actions when it expects to do so, breaking core protocol functionality.
PoC
No response
Mitigation
The ability to revoke access should expire if PartyA does not trigger it within a certain timeframe.