The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

[H-1] `LiquidationPoolManager::distributeFees` lacks access control, meaning anyone can call it, putting the contract in an unexpected state.

0x27281m

Description:

LiquidationPoolManager::distributeFees function is set to Public, allowing anyone to call it without authorization. Therefore, others can invoke LiquidationPoolManager::distributeFees before the execution of LiquidationPoolManager::runLiquidation. This could lead to unexpected fee distribution, impacting the contract's fund flow.

Note: LiquidationPoolManager::forwardRemainingRewards function is set to private, deepening my suspicion that LiquidationPoolManager::distributeFees should not be set as public.

Impact:

  1. Anyone can call it without restrictions. This could lead to unauthorized calls, compromising the expected functionality of the contract.

  2. Due to unexpected fee distribution, it will impact the fund flow of the contract.

Recommended Mitigation:

  1. Consider adding appropriate access control modifiers, such as onlyOwner, to the distributeFees function to ensure that only the contract owner can invoke this function.

  2. Alternatively, set the distributeFees function to private, similar to the forwardRemainingRewards function.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

frontrun-distrubutefees

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

frontrun-feedist-low

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.