silver_eth - There is insufficient access control on updating an account position #83
Comments
|
Appears to be a duplicate of #52 |
sherlock-admin3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
silver_eth
High
There is insufficient access control on updating an account position
this is the check to ensure only authorized can modify a position
https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/libs/InvariantLib.sol#L78-L82
hoevere that check is done here
https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L501-L502
which calls this
https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L77-L88
the issue is anybody can make themselves an extension for an account
https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L100-L103
effectively making them an operator thus allowing them to modify a position and withdraw the accouns collateral
The text was updated successfully, but these errors were encountered: