H-03 MitigationConfirmed

[c4-bot-8]

Lines of code

Vulnerability details

Issue

Function distribute() could trigger internal accounting for Pool. However, there is no access control for this function. As a result, anyone could directly call it with malicious data, leading to incorrect accounting in the Pool.

Mitigation

Only allow Liquidator contract to call the distribute() function.

function distribute(uint256 _proceeds, IMultiSourceLoan.Loan calldata _loan) external {
+    if (msg.sender != getLiquidator) {
+        revert InvalidCallerError();
+    }

[c4-judge]

alex-ppg marked the issue as satisfactory