Function distribute() could trigger internal accounting for Pool. However, there is no access control for this function. As a result, anyone could directly call it with malicious data, leading to incorrect accounting in the Pool.
Mitigation
Only allow Liquidator contract to call the distribute() function.
function distribute(uint256 _proceeds, IMultiSourceLoan.Loan calldata _loan) external {
+ if (msg.sender != getLiquidator) {
+ revert InvalidCallerError();
+ }
Lines of code
Vulnerability details
Issue
Function
distribute()
could trigger internal accounting for Pool. However, there is no access control for this function. As a result, anyone could directly call it with malicious data, leading to incorrect accounting in the Pool.Mitigation
Only allow Liquidator contract to call the
distribute()
function.