Missing onlyManager access control in distributeAssets
Summary
In https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L205, there is no onlyManager permission check. Therefore anyone can choose to call distributeAssets and arbitrarily specify a malicious collateralRate and _hundredPC.
Vulnerability Details
Below is the function signature of distributeAssets
Observe no onlyManager permission check, so any user can specify _hundredPC of 0. What happens?
The costOfEuros to burn is 0, because anything multiplied by 0 is still 0:
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L220C25-L221C60
Therefore 0 EUROs are burnt and meanwhile we are distributing the collateral to users of the LP and therefore the EUROs are no longer backed by the collateral. This causes EURO depegging.
Impact
EURO depegging.
Tools Used
Manual Review
Recommendations
Add onlyManager permission check to distributeAssets function. This function is only meant to be called by the LP manager in https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#L80
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.