`LiquidationPool::distributeAssets` is missing an `onlyManager` access modifier
Summary
The LiquidationPool::distributeAssets is missing an onlyManager modifier in order to protect this function. As a result, the function can be called by anyone and hence the parameteres passed including _collateralRate and _hundredPC can also be varied by anyone and not just the liquidator.
Vulnerability Details
In order for LiquidationPool::distributeAssets to be called, the _tokenId must be undercollateralised. This is because the LiquidationPoolManager::runLiquidation calls SmartVaultManagerV5::liquidateVault and this call reverts if the _tokenId is be undercollateralised.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPoolManager.sol#L59-L82
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultManagerV5.sol#L81-L92
Since the LiquidationPool::distributeAssets can be called by anyone, the holders assets can be liquidated at anytime even if they are not undercollateralised.
Impact
Anyone can distribute assets and liquidate the holders even if they are not undercollateralised, alongside this they can do so by varying the parameters as well.
Tools Used
Manual Review
Recommendations
Use an onlyManager modifier in the function to protect it from being called by anyone.
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.