-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PredyPool::trade()
if statement is using the wrong address
#450
Comments
@alex-ppg |
Hey @YordanVuchev, thanks for contributing to the PJQA process! This represents a validation repository finding and as such was not evaluated by me directly. The whitelist is meant to guard direct callers rather than signatories to permit system components to integrate with the system properly. |
Hey, @alex-ppg This means that the filler is always the one executing the orders This is about the whitelist according to the docs: This means that if there is whitelist and someone tries to trade, when the filler executes his order it should revert because he is not whitelisted. This means that this pair is for only certain people that are whitelisted and not everyone can trade in it, so this makes the whitelist not a guard as you explained, but a list of certain addresses that will be able to use this pair |
I apologize for the confusion. |
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PredyPool.sol#L265
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/markets/perp/PerpMarketV1.sol#L159
Vulnerability details
Impact
The
trade()
function usesmsg.sender
when checking if the trader is allowed whenallowlistEnabled
is set totrue
, which is wrong because thefiller
is the one executing the orders of the traders and thePredyPool::trade()
function is called in the market contracts so themsg.sender
is the market contract, not the trader.Proof of Concept
Consider the scenario when a trader wants to open a
Perp
positionThe
filler
executes the trade order by callingexecuteOrderV3L2()
from thePerpMarket.sol
contracts which then calls the internalexecuteOrder
function. As we can see here thePredyPool::trade()
is calledhttps://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/markets/perp/PerpMarketV1.sol#L159
When called like this the
msg.sender
inPredyPool.sol
will be thePerpMarketV1.sol
addressSo here in
PredyPool::trade()
the if statement is wrong because it will not check if the address of the trader is allowed, because the trader is notmsg.sender
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PredyPool.sol#L265
Tools Used
Manual Analysis
Recommended Mitigation Steps
Use the trader's address from the
tradeParams
that is passed from the market contractAssessed type
Other
The text was updated successfully, but these errors were encountered: