Liquidation and reward distribution are prone to sandwich attack
Summary
As a liquidator, I can scan for liquidation prone vaults and I can deposit a huge amount of TST or EUROs into Liquidation pool, then liquidate the undercollateralized vault, then rewards get updated. Wait for a day and withdraw all the rewards and staked assets.
This is a uneven/unfair reward distribution and effects the honest stakers.
Vulnerability Details
-
The vulnerability lies in the mechanism where rewards are distributed without accounting for how much time period was the amount of assets are staked.
-
So, the stakers with time period accounting can get fair rewards.
-
POC
Attacker scans the liquidation prone vault.
Deposit a huge sum of TST and EUROS, then calls LiquidationPoolManager.runLiquidation() to liquidate that vault.
Now rewards are distributed in the liquidation Pool, which happens on every liquidation.
Now wait for a day and withdraw the huge rewards gained unfairly.
Impact
HIGH (unfair reward distribution)
Tools Used
Manual review
Recommendations
Redesign the Liquidation pool contract in a ERC4626 way, that accounts for shares and its price.
So here the share get expensive a more stakers come in and the rewards will be fair.
Or modify the
LiquidationPool.distributeAssetsto distribute in a time based manner.Or to reduce the attacker's unfairness to earn rewards, do not distribute rewards to pending stakers, but only distribute to holders.
Lead Judging Commences
frontrun-distrubutefees
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.