In the function depositFor(address user, uint256 amount) the depositor can deposit for suspended user.
The depositor isn't able to know who is suspended user.
So the asset that the depositor deposited is locked because the suspended user can't withdraw from the contract.
Root Cause
In AccountFacet.sol:26https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L25-L28https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L23
Internal pre-conditions
Adam is a suspended user because of previous malicious action. 2. John doesn't know that Adam is suspended so John deposit for Adam 100ETH.
As the result 100ETH of John is locked.
carpark
Invalid
The depositor can deposit for suspended user.
Summary
Medium
In the function depositFor(address user, uint256 amount) the depositor can deposit for suspended user. The depositor isn't able to know who is suspended user. So the asset that the depositor deposited is locked because the suspended user can't withdraw from the contract.
Root Cause
In
AccountFacet.sol:26https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L25-L28https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L23Internal pre-conditions
External pre-conditions
No response
Attack Path
No response
Impact
Medium
PoC
No response
Mitigation