The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

LiquidationPool#distributeAssets() - lack of access control could lead to reward manipulation

ptsanev

Summary

The lack of access control on the distributeAssets() function of the LiquidationPool could lead to unfair manipulation of user rewards by carefully crafting the _assets, _collateralRate and _hundredPC.

Vulnerability Details

The distributeAssets() function serves to distribute the assets received from vault liquidations to stakers in the liquidation pool as rewards. The function lacks proper access control and input validation, assuming the call comes from the manager, leading to a vulnerability where a user can craft the parameters and manipulate his and other people's rewards. There are a few prerequisites when crafting the specific parameters:

The assets array must contain only asset.token.addr == address(0) in order to bypass the safe transfer from the manager contract, since it would fail without proper allowance. If the address is 0, then we only increase nativePurchased by the _portion
_hundredPC must be 0. This way we would make costInEuros be equal to 0 and would not take any EUROs out of user's positions. burnEuros would also be 0, so we would bypass the burn action which could also cause an unwanted revert
All of the assets' symbols must be bytes32(0). Because of step 1, we would enter the returnUnpurchasedNative() function which loops over all assets. In order to bypass the check if (_assets[i].token.addr == address(0) && _assets[i].token.symbol != bytes32(0)) and not send any ether(because we would revert if we do) we need to have the symbols be equal to 0, thus we always fail the condition.
With this proper setup we can pass assets with any amounts we want and we would be able to increase ours and other peoples positions indefinitely for a cost of 0 EUROs(because of step 2).

This can lead to 2 impacts: complete drainage of the liquidation pool and complete DoS of the reward claims, since the above issue would inflate everybody's rewards and nobody would be able to claim due to insufficient funds. There is no manual way to decrease the rewards, thus the pool would become insolvent and unusable.

Impact

Pool drainage, Loss of funds, DoS, Contract insolvency

Tools Used

Manual Review

Recommendations

Add access control to the distributeAssets() to be only callable by the manager. Add proper input validation to make sure the passed assets are in acceptable format. Take the collateral rate and hundred pc from the vault manager and do not take them in as parameters.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

distributeAssets-issue

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.