Desciption:
"In liquidate_collateral function from custody contract, there is no validation that info.sender is central_control contract. As a consequence, the coins to be used as repayment will only be transferred to stable_pool contract, without further logic to be executed. Later, an attacker could force the repayment of those coins to an arbitrary account, as shown in the following example:
Attacker calls liquidate_collateral function in custody contract.
An amount of stable coins are transferred from liquidation_queue contract to stable_pool contract.
Attacker forces the repayment of coins to himself as described in vulnerability Arbitrary repayment of coins from liquidations (see below)."
Code Location:
krp-cdp-contracts/contracts/custody/src/contract.rs#L385
Desciption: "In
liquidate_collateral
function from custody contract, there is no validation thatinfo.sender
is central_control contract. As a consequence, the coins to be used as repayment will only be transferred to stable_pool contract, without further logic to be executed. Later, an attacker could force the repayment of those coins to an arbitrary account, as shown in the following example:liquidate_collateral
function in custody contract.