search

code-423n4 / 2024-05-gondi-mitigation-findings

0 stars 0 forks source link

H-03 MitigationConfirmed #43

Open c4-bot-5 opened 5 months ago

c4-bot-5 commented 5 months ago

Lines of code

Vulnerability details

C4 Issue

H-03: Function distribute() lacks access control allowing anyone to spam and disrupt the pool's accounting

Comments

Original vulnerabilities/impacts: distribute() is only intended to be called by AuctionLoanLiquidator.sol in the liquidation settle assets flow. However, distribute() doesn’t implement access control which allows a malicious actor to call and manipulate the pool(loanManager)'s accounting.

Mitigation

Fix: https://github.com/pixeldaogg/florida-contracts/pull/364/files

    function distribute(uint256 _proceeds, IMultiSourceLoan.Loan calldata _loan) external {
        if (msg.sender != getLiquidator) {
            revert InvalidCallerError();
        }
...

    function setLiquidator(address _liquidator) external onlyOwner {
        if (_liquidator == address(0)) {
            revert LiquidatorCannotBeUpdatedError();
        }
        getLiquidator = _liquidator;

        emit LiquidatorSet(_liquidator);
    }

The mitigation is to add access control to distribute() and only allow owner set liquidator address to call distribute(). In addition, onlyOwner setLiquidator() method is added to allow setting liquidator address.

The mitigation eliminates the attack vector and resolves the issue.

Conclusion

LGTM

c4-judge commented 5 months ago

alex-ppg marked the issue as satisfactory

c4-judge commented 5 months ago

alex-ppg marked the issue as confirmed for report