Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

shaka - No check for expired priceSig in setSymbolsPrice #179

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

shaka - No check for expired priceSig in setSymbolsPrice #179

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

shaka

high

No check for expired priceSig in setSymbolsPrice

Summary

The setSymbolsPrice function of the LiquidationFacetImpl library does not check if the priceSig is too old. This can result in the wrong uPnL, total unrealized loss and symbol prices being used in the liquidation process.

Vulnerability Detail

The liquidation process of a party A consists of 4 steps where a liquidator calls liquidatePartyA, setSymbolsPrice, liquidatePendingPositionsPartyA and liquidatePositionsPartyA functions of the library LiquidationFacetImpl.

The issue is that in the setSymbolsPrice there is no verification for the priceSig being too old. Note also that there is no check in LibMuon:verifyPrices function for party A nonce, so any previous valid signature for party A can be used.

Notice also that once the liquidationType for party A has been set, new calls to the setSymbolsPrice will revert if the priceSig.upnl and priceSig.totalUnrealizedLoss are not equal to the ones used in the first call. So even if an honest liquidator tried to update the liquidation data, it will fail.

Impact

A malicious liquidator can use an outdated signature which will result in the wrong uPnL, total unrealized loss and symbol prices being used in the liquidation process. This can result in party A being liquidated for a smaller or bigger amount than it should be.

Another possible impact is that the priceSig does not include all the symbols that party A has positions in, because it was signed before party A created the current quotes. This can result in the liquidation process not being able to liquidate all the positions of party A and getting stuck forever.

Code Snippet

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/liquidation/LiquidationFacetImpl.sol#L38-L44

https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/libraries/LibMuon.sol#L50-L68

Tool used

Manual Review

Recommendation

Add a check for the priceSig being too old in either LiquidationFacetImpl:setSymbolsPrice or LibMuon:verifyPrices functions.

require(
    block.timestamp <= priceSig.timestamp + muonLayout.priceValidTime,
    "LibMuon: Expired signature"
);

Duplicate of #113
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jul 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin