Lack of Access Control in `distributeAssets()` Allows Malicious Actors to Get Free Rewards
Summary
Lack of access control in distributeAssets() can lead to attackers stealing rewards from the pool without paying, resulting in loss of protocol's integrity.
Vulnerability Details
The function distributeAssets() is meant to be called by the manager which is LiquidationPoolManager.sol, using the runLiquidation() method.
However, this function has no access control. Malicious actors can exploit this vulnerability by directly invoking the function and passing any arbitrary arguments.
Scenario
Since its not protected, any user can pass in any arbitrary argument. The cost in EUROs is determined by the _collateralRate variable. Since we can pass in any arbitrary number, we can pass in a very big number so that when its divided, it will be 0 as solidity rounds float number down.
The protocol has some ETH in the LiquidationPool.sol contract. Now, a malicious user can pass in the ETH argument with a very high number for _collateralRate (type(uint256).max). The costInEuros will now be 0.
In line 227, rewards will be added rewards[abi.encodePacked(_position.holder, asset.token.symbol)] += _portion;, but no EUROs are burnt from the holder's position.
The malicious user can then now claim those inflated rewards.
Impact
One way malicious actors can abuse it is by inflating _collateralRate, enabling actors to obtain rewards without incurring the appropriate cost or at no cost.
Tools Used
Manual Review, Hardhat
Recommendations
Consider adding a modifier to the function that only allows the function to be called from the manager contract.
Lead Judging Commences
distributeAssets-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.