The Standard

Summary

There are no access controls on the external function LiquidationPool::distributeAssets(), allowing a malicious actor to cause extra rewards to be paid out.

Vulnerability Details

There are no access controls on the external function LiquidationPool::distributeAssets(), so a malicious actor can call the function with malicious parameters including

1. _hundredPC = 0

2. An _assets array corresponding to ether such that Attacker's Portion == Ether balance of LiquidationPool

(Note that using other tokens in the _assets array will likely revert, due to the safeTransferFrom() in the distributeAssets() function, but the liquidationPoolManager may not hold the collateral tokens that are required to be transferred.

With ether on the other hand, the function will not revert.

Cost in euros is calculated via:

So if _hundredPC is passed in as 0, then costInEuros would be 0.

Then the function will update the rewards mapping with ether rewards (for every user), at 0 cost to the users. Then, in the same transaction, the malicious actor can claim the entire ether balance of the contract via LiquidationPool::claimRewards()

NOTE:
Alternatively, since it takes a bit of effort to calculate the correct token.amount to pass into the function (as getStakeTotal() is a private function), instead the malicous actor can use a relatively small value and continually re-enter distributeAssets() whenever their ether is paid out in claimRewards(), via using a contract with fallback function.

Impact

Stolen ether funds from the liquidity pool, which were meant to be other user's rewards.

Recommended Mitigation

Add a modifier to ensure that only the LiquidationPoolManager contract can call LiquidationPool::distributeAssets()