visibility and access of `distributeAssets` is external and open, so any can provide arbitrary values for `collateralRate` and `HUNDREDPC` to disturb The Staking position of staker.
Summary
The distributeAssets function can be call by any one so one can only provide minimum amount of ETH like 1 WEI to manipulate position of stakers in a wrong way.
Vulnerability Details
The attacker can observe the Position of stakers and chainLink oracle, whenever it seems best for his attack he can call distributeAssets function and achieve his desired results.
impact
The Assets in LiquidationPool are at risk to arbitrary collateral rate and hundred pc.
Tools Used
Manual Review
Recommendation
It is recommended either change the Visibility of distributeAssets function or add onlyManager modifier on this function as the function has only called inside SmartVaultManager contract.
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.