Summary

SDLPoolCCIPControllerPrimary::_distributeRewards is marked as internal, making it susceptible to potential misuse by any contract inheriting from it. This vulnerability could allow a malicious contract to exploit the internal function, leading to unauthorized distribution of rewards.

Vulnerability Details

In the contract, _distrbuteRewards function is being internally called in distributeRewards function, which does contain access modifier onlyRewardsInitiator, which prevents the issue of unauthorized calling, but only if distributeRewards is called.

The vulnerability lies in the _distributeRewards function. Because it is marked as internal, it can be called from any contract that inherits from SDLPoolCCIPControllerPrimary.

A malicious contract could exploit this by inheriting from SDLPoolCCIPControllerPrimary and calling _distributeRewards with parameters that allow it to distribute rewards on there own will. This could lead to unauthorized distribution of rewards.

The parameter's of _distributeRewards can be easily determined by the exploiter, the three parameters: destinationChainIds,_rewardTokens,_rewardTokenAmounts, can be determined using the same methods being used in distributeRewards function in the malicious contract, and hence can be used to call and potentially cause issue with unauthorized rewards distribution.

Impact

The potential impact of this vulnerability is HIGH. Misuse could lead to unauthorized control over the distribution of rewards, which could disrupt the normal operation of the system and potentially drain the system's resources.

Damage could be both financial, in terms of lost rewards, and reputational, as it could undermine trust in the system among users.

Tools Used

Thorough reviewing of code was being done

Recommendations

Instead of being the function marked as internal , private can be used to mitigate the risk, because of which it won't be accessible to other contracts which can inherit SDLPoolCCIPControllerPrimary.
Or an access modifier can be used in the _distributeRewards function, or an require statement can be added checking only rewardsIntiator can call this function.