Summary

The function MarketMakingEngineConfiguration::distributeProtocolAssetReward lacks input validation to ensure that the asset provided is a valid ERC20 token address and that the amount to be distributed is greater than zero. This can lead to unexpected behavior, such as transferring tokens from invalid addresses or performing transfers when the amount is zero, which could result in incorrect or malicious contract interactions.

Vulnerability Details

The function does not validate whether the asset address is a valid ERC20 token contract.
The amount parameter is not checked to ensure it is greater than zero before proceeding with the reward distribution.
Without this validation, an invalid address or a zero amount could lead to failed transactions, loss of funds, or unintended behaviors in the contract.

Impact

Invalid Asset Address: If the asset address is not a valid ERC20 token, the safeTransfer method will fail, potentially causing the transaction to revert unexpectedly, which could lead to a loss of funds or halted contract execution.
Zero Amount: If the amount is zero, the function may still attempt to distribute rewards, potentially causing errors or wasted gas usage for unnecessary transactions.

Tools Used

Manual code review.

Recommendations

Validate Asset.
Add a check to ensure the amount is greater than zero before proceeding with the distribution: