Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

sinarette - setSymbolPrice Accepts Outdated Signatures #127

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

sinarette - setSymbolPrice Accepts Outdated Signatures #127

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

sinarette

medium

setSymbolPrice Accepts Outdated Signatures

Summary

LiquidationFacetImpl#setSymbolsPrice accepts priceSig as input, but it does not check if the signature is out of date.

Vulnerability Detail

setSymbolsPrice marks the symbol prices and upnl for liquidation, which are input as the priceSig signature.

    /* LiquidationFacetImpl.sol */
    function setSymbolsPrice(address partyA, PriceSig memory priceSig) internal {
        ...
        LibMuon.verifyPrices(priceSig, partyA);
        require(maLayout.liquidationStatus[partyA], "LiquidationFacet: PartyA is solvent");
        require(
            priceSig.timestamp <=
                maLayout.liquidationTimestamp[partyA] + maLayout.liquidationTimeout,
            "LiquidationFacet: Expired signature"
        );

It only checks if the timestamp of priceSig has expired compared to the liquidation timeout - whether the priceSig is too late.
However, it does not check if the timestamp is before the liquidation timestamp or not - whether the priceSig is too early.
Moreover, the verifyPrices for priceSig also doesn't check if the signature is expired or not.

    /* LibMuon.sol */
    function verifyPrices(PriceSig memory priceSig, address partyA) internal view {
        require(priceSig.prices.length == priceSig.symbolIds.length, "LibMuon: Invalid length");
        bytes32 hash = keccak256(
        ...
        verifyTSSAndGateway(hash, priceSig.sigs, priceSig.gatewaySignature);
    }

For reference, you can check that the other verify methods check for the timestamp validity.

    function verifyPartyAUpnl(SingleUpnlSig memory upnlSig, address partyA) internal view {
        MuonStorage.Layout storage muonLayout = MuonStorage.layout();
        require(
            block.timestamp <= upnlSig.timestamp + muonLayout.upnlValidTime,
            "LibMuon: Expired signature"
        );

Impact

Malicious validators can set wrong prices and upnl for liquidation

Code Snippet

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/liquidation/LiquidationFacetImpl.sol#L39-L44

Tool used

Manual Review

Recommendation

Add validation for price signature, e.g.

    require(
        priceSig.timestamp >= maLayout.liquidationTimestamp[partyA],
        "LiquidationFacet: Expired signature"
    );

Duplicate of #113
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2