Summary

Transfer function in function LiquidationPool#distributeAssets() can be revert because of transfer 0 token

Vulnerability Details

Function LiquidationPool#distributeAssets() doesn't check for zero amount while transferring rewards, which can lead to liquidation process failed.
Function distributeAssets() used to transfer number of token depend on position of holder:

                    } else {
                        IERC20(asset.token.addr).safeTransferFrom(manager, address(this), _portion);  // <----
                    }

_portion is calculated as below:

                    uint256 _portion = asset.amount * _positionStake / stakeTotal;

_positionStake is total staked of selected holder, and stakeTotal is total staked of all holders. Since there is no limitation for user to stake any amount, attacker can stake 1 wei of token in both TST and EUROs to make sure _portion is round down to 0 when asets.amount < stakeTotal. As some ERC20 implementations revert on zero value transfers (see https://github.com/d-xo/weird-erc20#revert-on-zero-value-transfers), liquidation process will be failed.

Impact

Vault can't be liquidated when transfer is reverted.

Tools Used

Manual review.

Recommendations

Add additional check to make sure transfer value is > 0:

                    if (asset.token.addr == address(0)) {
                        nativePurchased += _portion;
                    } else {
                        if(_portion > 0) {
                             IERC20(asset.token.addr).safeTransferFrom(manager, address(this), _portion);
                        }
                    }