LoanLiquidator Manual Review Findings

LLR-01M: Inexistent Access Control

Description:

The transferLoanACT function performs no access control on the caller, permitting the finalization of a loan transfer at any point in time by anyone.

Example:

Copy
448function transferLoanACT(
449    uint256 fromACTId,
450    uint256 toACTId,
451    uint256 actAmount,
452    address trustee
453) external whenNotPaused() {
454    actContract.safeTransferFrom(
455        loanLiquidatorWalletAddress,
456        trustee,
457        fromACTId,
458        actAmount,
459        ""
460    );
461    actContract.safeTransferFrom(trustee, loanLiquidatorWalletAddress, toACTId, actAmount, "");
462}

Recommendation:

We advise strict access control to be imposed on this function to ensure that it cannot be invoked arbitrarily.

Alleviation:

Access control was properly introduced to the transferLoanACT function by invoking the internal requireIsPrivileged function.