The Standard

Summary

An attacker can front-run the LiquidationPoolManager::runLiquidation() function with their own transaction, to steal a portion of the rewards that were meant for stakers.

Vulnerability Description

The attackers transaction would be:

1. Stake into the pool with a large amount of TST and EUROs

2. call LiquidationPoolManager::runLiquidation() on the intended vaultId

3. call LiquidationPool::claimRewards()

4. Withdraw their staking position, collecting profit

This works because their stake in step 1 has allowed them to gain a significant portion of the assets distributed from the liquidation, which was meant to be received by those who have been staking in the protocol.

The attacker does not need to front run the liquidation, they could find an opportunity for liquidation themselves, and still complete the 4-step transaction.

Impact

A significant proportion of assets that are meant to be attributed to other stakers can be unfairly, instantaneously accrued by a malicious actor whenever a liquidation opportunity is found, even though they were not staking in the pool for an entire block.

Recommended Mitigation

Consider implementing a "warmup period" where stakers canot accrue rewards.