Summary

Front running possible on updateYield() function, allowing malicious actors to capitalize on the difference between the old and new yield rates and gain additional yield than they should be entitled to.

Vulnerability Details

A malicious actor can monitor the mempool for pending transactions that call the libVault::updateYield() function. Upon spotting such a transaction, the actor can quickly send one or more LimitShort orders with a higher gas fee to ensure their transactions are mined before the updateYield() transaction. As a result, any LimitShort orders that match will have their ShortRecords created with the current vault.zethYieldRate. When the updateYield() transaction eventually gets mined and executed, these ShortRecords will be eligible to claim yield at the new, potentially higher rate.

This front-running strategy allows the malicious actor to capitalize on the difference between the old and new yield rates, effectively earning yield that they aren't entitled to under normal circumstances.

Impact

The vulnerability can lead to unintended yield distribution, benefiting the malicious actor at the expense of other users. The longer the time between updates of the updateYield() function and the more capital that accumulates in the interim, the greater the potential reward for the malicious actor. This can distort the intended yield distribution mechanism and may erode trust in the system.

Tools Used

Manual Review
Foundry

Recommendations

Store a date stamp field to the vault struct which records when vault.zethYieldRate was last updated and compare this to short.updatedAt to decide which rate a user should get.