The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`LiquidationPool:distributeAssets` allows an attacker to steal all tokens and cause other users to lose their euros

dipp

Summary

The distributeAssets function allows anyone to increase the rewards of any holders for any token/symbol without providing the tokens that correspond to the token symbol provided. Can aslo decrease the euros of any user's position and burn all euros held by pool.

Vulnerability Details

If distributeAssets is called by a user that is not the manager they can set the asset to anything.

A user sets the asset amount > 0, asset.token.addr == address(0) and asset.token.symbol set to a token that is one of the acceptedTokens.
The asset.token.clAddr can be set to a contract to return any amount for assetPriceUsd.
- If assetPriceUsd always returns 0 then costInEuros is 0 and all positions keep their euros and no euros are burned. All holders will receive their portion of rewards based on the asset.amount (controlled by attacker) and their stake. costInEuros could also be set to 0 by just passing 0 as the _hundredPC to the function.
- assetPriceUsd and asset.amount could be set such that burnEuros burns entire pool's euro balance and all users lose their positions' EUROs. This can also be more simply done by setting the _hundredPC value to a very high number.
Rewards will be based on token.symbol's address in TokenManager's AcceptedTokens, not on the address given by attaker for asset.token.
Token addr can be set to address(0) so only nativePurchased increases instead on transferring tokens from manager. NativePurchased will be capped by asset.amount so amount sent back to manager contract can be 0. Attacker can avoid paying for distributed asset.

Impact

An attacker could increase rewards arbitrarily for anyone and any token and steal any and all reward tokens without providing any assets.

The attacker could also decrease the euros of positions without providing assets to the pool.

Tools Used

Manual review.

Recommendations

Consider only allowing the manager to call distributeAssets or check the values being passed to the function. Would need to check the tokens are accepted tokens and that the addr corresponds to the correct symbol in AcceptedTokens. Also the clAddr must be checked to be a real chainlink feed. Maybe use whitelisted addresses for feeds.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

distributeAssets-issue

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.