The depositCollateralAndMintDsc
function allows users to deposit collateral and mint DSC tokens in a single transaction.
However, this function is vulnerable to frontrunning attacks, where an attacker can manipulate the collateral deposit process and secure DSC minting with a lower collateral price.
POC:
User A intends to deposit 1 WBTC as collateral to mint DSC tokens.
The current price of WBTC is $50,000 per token.
User A submits a transaction to call the depositCollateralAndMintDsc
function with the parameters (WBTC, 1 WBTC, X DSC), where X represents the desired amount of DSC tokens to mint.
Before User A's transaction is confirmed, the attacker (Front-runner) observes the pending transaction on the mempool and notices that User A intends to deposit 1 WBTC.
The attacker quickly submits their own transaction with a higher gas price, specifying the same parameters as User A (WBTC, 1 WBTC, Y DSC), where Y is a larger amount of DSC tokens to mint.
The attacker's transaction gets mined before User A's transaction due to the higher gas price, and their 1 WBTC is deposited as collateral.
Now, when User A's transaction gets mined, it fails because the contract's state has already been updated by the attacker's transaction. The attacker has successfully manipulated the collateral deposit process and secured DSC minting with a lower collateral price (1 WBTC).
Manual Review
Change the depositCollateral and mintDsc function to internal functions.
This will prevent frontrunners from manipulating the collateral deposit process.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.