-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xiaoming90 - Suspended users can receive funds #10
Comments
The protocol team fixed this issue in the following PRs/commits: |
Escalate This issue should be at least a Medium Risk due to its significant impact (Loss of assets) if the risk is realized. As mentioned in the impact section of the report, it demonstrates that under certain conditions, it can lead to a loss of assets for innocent users. Following is the POC extracted from the report to demonstrate this:
Per Sherlock’s judging rules (https://docs.sherlock.xyz/audits/judging/judging#v.-how-to-identify-a-medium-issue)
Thus, this issue meets Sherlock's requirement of a Medium Risk, where it causes a loss of funds but requires certain external conditions or specific states. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
isn't it more a self-harm than a vulnerability, why should I transfer funds to a suspended account |
It will only be self-harm if Alice is already aware of Bob's account being suspended and she proceeds to transfer the funds, ignoring this fact. As mentioned in the report and escalation comment, in Step 3 of POC, there is no way for Alice to know that the protocol admin is going to submit a Thus, it is not self-harm, and the above POC presents a valid scenario. |
Very good catch, but I believe it should be invalid based on this rule about admin calls:
Hence, I believe the lead judge made the correct decision, planning to reject the escalation and leave the issue as it is. |
The judging rule "An admin action can break certain assumptions about the functioning of the code" is inadequate for use here. This rule has two parts:
On a sidenote, the reason this particular judging rule has been enacted in the past is that in many past contests, many people have raised the issue that users will be unfairly liquidated after the protocol has been unpaused (Report 1, Report 2. Report 3, Report 4), which might involve breaking some sort of assumptions such those below in order for the issue to be realized or triggered:
|
As I understand this requirement is just how the code works and is not documented in README or code comments (or at least I'm missing it). Let me explain how I see the issue:
So the only valid scenario is when the admin submits the transaction at almost the same time as the user, but the admin's call goes through earlier, that's why it wouldn't be a mistake in that case. But, since it requires the admin to make the call (without any malicious intent or an error) that leads to Alice losing funds, I believe it falls down this rule. Hope that answers your questions. The decision remains the same, planning to reject the escalation and leave the issue as it is. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
The Lead Senior Watson signed off on the fix. |
xiaoming90
High
Suspended users can receive funds
Summary
Suspended users can receive funds from others. As a result, funds will be transferred to a suspended account, leading to funds being frozen. No user error is required for this issue to be triggered. This issue can happen under normal circumstances due to how blockchain transactions work. Refer to the "Impact" section for more details.
Vulnerability Detail
The
AccountFacet.allocate
function has anotSuspended(msg.sender)
modifier to ensure that no collateral is being allocated to a suspended account.https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L48
However, malicious users can bypass this invariant or restriction by exploiting the newly implemented
AccountFacet.internalTransfer
function. This function only checks if the sender (msg.sender
) is suspended but does not check if the recipient (user
) is suspended. Thus, it is possible to allocate funds to a suspended user.https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L79
Impact
Funds will be transferred to a suspended account, leading to funds being frozen. No user error is required for this issue to be triggered. This issue can happen under normal circumstances due to how blockchain transactions work. Consider the following scenario:
AccountStorage.layout().suspendedAddresses[Bob]
is false (not suspended) before submitting the transaction.internalTransfer
transaction to the mempool to allocate funds from her account to Bob's account.suspendedAddress
transaction to suspend Bob's account shortly afterwardinternalTransfer
andsuspendedAddress
transactions reside in the mempool. SincesuspendedAddress
TX has a higher gas fee thaninternalTransfer
TX, it will be executed first.internalTransfer
TX gets executed, the funds will be allocated to a suspended Bob account.Note that in Step 3, there is no way for Alice to know that the protocol admin is going to submit a
suspendedAddress
transaction after her.Code Snippet
https://github.com/sherlock-audit/2024-06-symmetrical-update-2/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L79
Tool used
Manual Review
Recommendation
The internal transfer should only proceed if the recipient has not been suspended. With this fix, Alice's
internalTransfer
TX will automatically revert to the earlier scenario.The text was updated successfully, but these errors were encountered: