Custom Coffee Fly - updateDownsideProtected can be called by anyone leading to incorrect downside protection records on CDS module

[sherlock-admin2]

Custom Coffee Fly

Medium

updateDownsideProtected can be called by anyone leading to incorrect downside protection records on CDS module

Summary

The function updateDownsideProtected can be called by anyone. It's supposed to be called only by the borrowing contract. As such, anyone can change the recorded value of downsideProtected inside the CDS contract, which can lead to incorrect downside protection value to be used on the borrowing contract.

 function updateDownsideProtected(uint128 downsideProtectedAmount) external {
        downsideProtected += downsideProtectedAmount; // @audit anyone can call it to modify the downsideProtected value, any consequence?
    }
    

Root Cause

The function updateDownsideProtected is publicly callable by anyone due to the external keyword.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Any one can call it to change this value, which's used inside the borrowing 'contract', leading to incorrect value to be used when user call the withdraw functions.

PoC

No response

Mitigation

Only core contract should be able to call the function updateDownsideProtected