The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Unauthorized calls to LiquidationPool:distributeAssets Function, causing loss of funds

0xpep7

Summary

The contract contains a critical vulnerability in the distributeAssets function, allowing a malicious actor to call the function with fake assets. This could lead to a significant loss of funds for both users and the protocol.

Vulnerability Details

The root cause of the vulnerability is that the distributeAssets function lacks proper access controls. Without the protection of the onlyManager modifier, any address can invoke this function, leading to unauthorized asset distribution.

// File: contracts/LiquidationPool.sol
205: function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable { // <= FOUND
...

Impact

In the event of an exploit, the malicious actor could manipulate the distributeAssets function to distribute fake assets, resulting in substantial financial losses for users and the protocol via forced burn of EUROs token.

Tools Used

Manual Review

Recommendations

- function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
+ function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable onlyManager {
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

distributeAssets-issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.