Lack of access control on `Fees::sellProfits` can lead to tokens being swapped at unwanted marked conditions
Summary
Any user can call Fees::sellProfits at any given time. This can be used to grief the protocol, by calling the function for a loan token that is currently trading at an unfavorable price.
Vulnerability Details
Let's take an example:
One of the loan tokens that the Fees contract currently holds is USDC. At some point USDC depegs to a price of lets say, 0.90 USD.
At that point, the protocol owners probablly won't want to sell the accumulated USDC fees, until it reaches 1 : 1 ratio with USD again, since the ETH price of USDC will also drop inside the Uniswap pair. However, a mallicios user can come in and call the sellProfits function for USDC, leading to the protocol loosing ~ 0.10 USD per each USDC.
Impact
The protocol will sell its accumulated fees at lower prices, in turn, accumulating losses.
Tools Used
Manual review
Recommendations
Add access control to the Fees::sellProfits function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.