Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

volodya - liquidatePartyB can be avoided by frontrunning #50

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

volodya - liquidatePartyB can be avoided by frontrunning #50

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

volodya

high

liquidatePartyB can be avoided by frontrunning

Summary

Liquidation can be avoided by frontrunning and all the other functions that depend on AccountStorage.layout().partyBNonces
inside LibMuon vulnerable as well

Vulnerability Detail

Whenever the liquidator calls liquidatePartyB there is a hash check against AccountStorage.layout().partyBNonces[partyB][partyA]

    function verifyPartyBUpnl(
        SingleUpnlSig memory upnlSig,
        address partyB,
        address partyA
    ) internal view {
        MuonStorage.Layout storage muonLayout = MuonStorage.layout();
//        require(
//            block.timestamp <= upnlSig.timestamp + muonLayout.upnlValidTime,
//            "LibMuon: Expired signature"
//        );
        bytes32 hash = keccak256(
            abi.encodePacked(
                muonLayout.muonAppId,
                upnlSig.reqId,
                address(this),
                partyB,
                partyA,
                AccountStorage.layout().partyBNonces[partyB][partyA],
                upnlSig.upnl,
                upnlSig.timestamp,
                getChainId()
            )
        );
        verifyTSSAndGateway(hash, upnlSig.sigs, upnlSig.gatewaySignature);
    }

symmio-core/contracts/libraries/LibMuon.sol#L152
but partyB can avoid being liquidated by moving funds to yourself thus increasing accountLayout.partyBNonces[msg.sender][origin] so verifyPartyBUpnl will be reverted

    function transferAllocation(
        uint256 amount,
        address origin,
        address recipient,
        SingleUpnlSig memory upnlSig
    ) internal {
....
        accountLayout.partyBNonces[msg.sender][origin] += 1;
        accountLayout.partyBAllocatedBalances[msg.sender][origin] -= amount;
        // allocate for recipient
        accountLayout.partyBNonces[msg.sender][recipient] += 1;
        accountLayout.partyBAllocatedBalances[msg.sender][recipient] += amount;
    }

contracts/facets/Account/AccountFacetImpl.sol#L101
Or allocating and deallocating

Impact

Liquidation can be avoided by frontrunning

Code Snippet

Tool used

Manual Review

Recommendation

I didn't figure out how to fix this issue

Duplicate of #233
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jul 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin