Missing proper access control in the `LiquidationPool.distributeAssets` function
Summary
Missing proper access control in the LiquidationPool.distributeAssets function.
Vulnerability Details
It appears that the LiquidationPool.distributeAssets function is intended to be exclusively callable by the LiquidationPoolManager as part of the liquidation process initiated by LiquidationPoolManager.runLiquidation. However, currently, the LiquidationPool.distributeAssets function lacks access control. This oversight allows any user to call it with arbitrary parameters. These parameters include:
_assetsarray, which specifies the tokens and amounts to be distributed along with the price feed for price determination._collateralRate, utilized in calculating thecostInEuros._hundredPC, a factor in thecostInEuroscalculation, which must be a constant (1e5)
Impact
The LiquidationPool.distributeAssets function requires token approval by the LiquidationPoolManager before transferring tokens from it. Because of this, no immediate vulnerabilities compromising the protocol are currently evident. However, future upgrades may introduce significant issues if this function remains unregulated.
Tools Used
Manual Review
Recommendations
To mitigate this issue, it is recommended to implement the onlyManager modifier in the distributeAssets function.
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.