The current implementation of lockQuote( ) function lacks proper access control. As a result, any user can lock quotes provided the quoteId to cause denial of service.
The lockQuote( ) function does not check if the caller (msg.sender) is the intended PartyB for the specific quoteId. It uses the onlyPartyB modifier, to check if the caller is a registered PartyB and also notLiquidated(quoteId) modifier to check the liquidation status of quoteId . This oversight allows any user to lock any unliquidated quote, as long as they have sufficient balance.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
denial of service
PoC
No response
Mitigation
use onlyPartyBOfQuote(quoteId) instead of onlyPartyB
air_0x
High
dos through lockQuote( )
Summary
The current implementation of lockQuote( ) function lacks proper access control. As a result, any user can lock quotes provided the
quoteIdto cause denial of service.Root Cause
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/PartyBQuoteActions/PartyBQuoteActionsFacet.sol#L20
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/PartyBQuoteActions/PartyBQuoteActionsFacetImpl.sol#L23
The
lockQuote( )function does not check if the caller(msg.sender)is the intendedPartyBfor the specificquoteId. It uses theonlyPartyBmodifier, to check if the caller is a registered PartyB and alsonotLiquidated(quoteId)modifier to check the liquidation status ofquoteId. This oversight allows any user to lock any unliquidated quote, as long as they have sufficient balance.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
denial of service
PoC
No response
Mitigation
use
onlyPartyBOfQuote(quoteId)instead ofonlyPartyB