Malicious users can send enormous positions if they see a distributeFees call in the mempool
Summary
Malicious users can take advantage of the protocol and only open stake positions when they see a distributeFees() call in LiquidationPoolManager contract in mempool.
Vulnerability Details
This is not a vulnerability that opens up an attack vector but it is definitely worth bringing up as it messes up the core protocol experience for a user. After taking the fees, the malicious users just closes his position in the pool.
This could maybe be avoided by not distributing fees to pending stakes array.
Impact
My guess is that the protocols' intention is to have users stake in the pool for a extended period of time. This vulnerability disincentivizes users from staking in the pool for a longer period as many malicious actors just put funds in it to collect fees.
I will put severity as HIGH as it directly impacts the main functionality of the protocol.
Tools Used
Manual review
Recommendations
Rethink fee distribution mechanism to disincentivize short term stakers. Maybe introduce a minimum stake time limit or not distribute fees to pending stakes.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.