circlelooper - Quote value can be less than minAcceptableQuoteValue

[sherlock-admin]

circlelooper

medium

Quote value can be less than minAcceptableQuoteValue

Summary

Quote value can be less than minAcceptableQuoteValue.

Vulnerability Detail

Every time Party A sends a quote, the lockedValues of the quote is checked to ensure its valus is no less than quote symbol's minAcceptableQuoteValue.

        require(
            lockedValues.total() >= symbolLayout.symbols[symbolId].minAcceptableQuoteValue,
            "PartyAFacet: Quote value is low"
        );

When quote is being opened, quote's lockedValues will be adjusted if quote.quantity == filledAmount and quote.orderType == OrderType.LIMIT.

                quote.lockedValues.mul(openedPrice).div(quote.requestedOpenPrice);

However, quote's lockedValues is not checked against minAcceptableQuoteValue any more, this is risky as quote's lockedValues can be less than minAcceptableQuoteValue at this time.
If it is in this case, quote will be opened with quote value being less than minAcceptableQuoteValue.

Impact

Quote is opened with its value less than minAcceptableQuoteValue.

Code Snippet

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/PartyB/PartyBFacetImpl.sol#L158-L167

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, consider checking quote's lockedValues against minAcceptableQuoteValue when quote being opened.

Duplicate of #248