Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

0xmuxyz - Lack of scaling the decimals precision in the AccountFacet#depositAndAllocateForPartyB(), which lead to a misaccounting #174

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

0xmuxyz - Lack of scaling the decimals precision in the AccountFacet#depositAndAllocateForPartyB(), which lead to a misaccounting #174

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

0xmuxyz

high

Lack of scaling the decimals precision in the AccountFacet#depositAndAllocateForPartyB(), which lead to a misaccounting

Summary

Within the AccountFacet#depositAndAllocateForPartyB(), the amount scaled to 1e18 decimals precision is supposed to be assigned into the AccountFacetImpl#allocateForPartyB().

However, within the AccountFacet#depositAndAllocateForPartyB(), the amount, which is 1e6 decimals (Not scaled), would be assigned into the AccountFacetImpl#allocateForPartyB() as it is.

This lead to a misaccounting that the amount subtracted from the balances storage in the AccountFacetImpl#allocateForPartyB() would be 1e12 times smaller than the actual amount.

Vulnerability Detail

Within the AccountFacet#depositAndAllocateForPartyB(), the amount would be assigned as a parameter.
Then, the AccountFacetImpl#allocateForPartyB() would be called and the amount would be assigned into there like this:
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacet.sol#L79

    function depositAndAllocateForPartyB(
        uint256 amount,  /// @audit
        address partyA 
    ) external whenNotPartyBActionsPaused onlyPartyB {
        AccountFacetImpl.depositForPartyB(amount);  
        AccountFacetImpl.allocateForPartyB(amount, partyA, true);  /// @audit - This "amount" must be 1e18 decimals precision
        ...
    }

Within the AccountFacetImpl#allocateForPartyB(), the amount would be subtract from the balances storage like this:
(NOTE:The amount assigned into the balances storage below is supposed to be 1e18 decimals precision)
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L130

    function allocateForPartyB(uint256 amount, address partyA, bool increaseNonce) internal { /// @audit
        AccountStorage.Layout storage accountLayout = AccountStorage.layout();

        require(accountLayout.balances[msg.sender] >= amount, "PartyBFacet: Insufficient balance");
        require(
            !MAStorage.layout().partyBLiquidationStatus[msg.sender][partyA],
            "PartyBFacet: PartyB isn't solvent"
        );
        if (increaseNonce) {
            accountLayout.partyBNonces[msg.sender][partyA] += 1;
        }
        accountLayout.balances[msg.sender] -= amount;   /// @audit
        accountLayout.partyBAllocatedBalances[msg.sender][partyA] += amount;
    }

Within the AccountFacet#depositAndAllocateForPartyB() above, the amount assigned as a parameter would be 1e6 decimals precision.

And then, within the AccountFacet#depositAndAllocateForPartyB() above, the AccountFacetImpl#depositForPartyB() and the AccountFacetImpl#allocateForPartyB() would be called. The amount assigned into each function is supposed to be like this:

  • The amount that is assigned into the AccountFacetImpl#depositForPartyB() is supposed to be 1e6 decimals precision.
  • The amount that is assigned into the AccountFacetImpl#allocateForPartyB() is supposed to be 1e18 decimals precision.

However, the amount assigned into the AccountFacetImpl#allocateForPartyB() would not be scaled to 1e18 decimals precision. (Instead, the amount that is 1e6 decimals precision would be assigned into the AccountFacetImpl#allocateForPartyB() as it is)

Impact

This lead to a misaccounting that the amount, which subtracted from the balances storage in the AccountFacetImpl#allocateForPartyB(), would be 1e12 times smaller than the actual amount.
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L130

This vulnerability would always be caused every single time when the AccountFacet#depositAndAllocateForPartyB() would be called. Thus, this severity is marked as "High".

Code Snippet

Tool used

Manual Review

Recommendation

Within the AccountFacet#depositAndAllocateForPartyB(), consider assigning the amount scaled to 1e18 into the AccountFacetImpl#allocateForPartyB() like this:

    function depositAndAllocateForPartyB(
        uint256 amount,
        address partyA 
    ) external whenNotPartyBActionsPaused onlyPartyB {
        AccountFacetImpl.depositForPartyB(amount);
+       uint256 amountWith18Decimals = (amount * 1e18) /
+       (10 ** IERC20Metadata(GlobalAppStorage.layout().collateral).decimals());
+       AccountFacetImpl.allocateForPartyB(amountWith18Decimals, partyA, true); 
-       AccountFacetImpl.allocateForPartyB(amount, partyA, true); 
        ...
    }

Duplicate of #222
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 26, 2023
@securitygrid securitygrid mentioned this issue Jul 26, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2