QA Report
[L-1] Transactions that distribute fees can be frontrun
Pending token positions can be consolidated after 1 day of submission. This is the case for both the governance token TST and EUROs positions. It seems to be a measure to prevent sandwich attacks on liquidations. However, when distributing fees they are only distributed for TST holders and pending stakes are taken into account as well. This means that a user that has governance tokens can deposit a large amount of them in a transaction just before a distributeFees() transaction and take a larger portion of the rewards. The user can take them out only after 1 day has passed and the position is consolidated, so this is somewhat mitigated. After, the user can then out his TST to use it in other parts of the protocol, while waiting for the next call to distribute fees.
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L182
The feasibility of this attack depends on how governance tokens TST work in other parts of the larger protocol. Investigating further is out of scope for this audit. In any case, a user will have to keep their TST tokens locked in pendingStakes for at least a day, so maybe it is a good idea to not take pending TST stakes into account for the distributeFees() transaction to avoid the above mentioned attack.
Lead Judging Commences
frontrun-distrubutefees
frontrun-feedist-low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.