Attacker can burn all staked EURO
Summary
lack of access control at distributeAssets function of liquidity pool enables attackers to burn staked EUROs at no cost.
Vulnerability Details
distributeAssets is used to sell liquidated collateral to the EURO stakers at a discount, it takes an Asset[] parameter containing assets addresses, chainlink price feeds , decimals and amounts for each token; it uses these data to calculate asset values in EURO and burn EURO against distributing assets, however anyone can call this function and provide arbitrarily token address, price feed, and decimal to burn all staked EUROs.
consider a scenario that an attacker creates a useless ERC20 and calls distributeAssets, and provides this token along a fake contract with chainlink feed interface as chainlink feed token address that returns arbitrarily numbers as token price, these tokens distributed to users in exchange for burning their EURO.
Impact
Tools Used
Manual Review
Recommendations
restrict distributeAssets access to LiquidityPoolManageer
Lead Judging Commences
distributeAssets-issue
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.