anyone can call LiqudationPool::distributeAssets to increase their rewards without limit
Summary
In LiqudationPool::distributeAssets, everyone is able to call the function with arbitrary _assets, _collateralRate and _hundredPC. _hundredPC can be set to 0 in order to increase rewards without limit.
Vulnerability Details
Due to extreme lack of time, i could not manage to put a code PoC, so ill try to explain the issue as clear as possible:
setting _hunderdPC to zero causes costInEuros to be zero, which means that _position.EUROs will be decreased by zero and rewards of holder be increased by _portion (which is always > 0 if _position.stake is >0 )
there are no other limitations to prevent this, other than
if (burnEuros > 0) IEUROs(EUROs).burn(address(this), burnEuros); which will be passed without burning any tokens
this means that a staker is able to call this function over and over with an arbitrary asset amount (that is present in LiquidationPoolManager) and zero _hundredPC to the point that his rewards are equal to amount of assets in LiquidatinoPoolManager, and then callclaimRewards in order to withdraw all of his rewards (all within one transaction)
Impact
High - one can increase his rewards without limit and then use claimRewards function to withdraw all of the assets within LiquidatinoPool within one transaction
Tools Used
Manual review
Recommendations
Make sure that only LiquidationPoolManager can call this function, not an arbitrary address
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.