LiquidationPool#distributeFees() is vulnerable to sandwich attack
Summary
Whenever fee is distributed, attacker can deposit huge amount of TST token, claim almost of fee, and withdraw
Vulnerability Details
Rewards are dispersed to users as a percentage of the user's TST token in position and pending stake vs total tst. Rewards are distributed a user call LiquidationPoolManager#distributeFees() function:
for (uint256 i = 0; i < holders.length; i++) {
address _holder = holders[i];
positions[_holder].EUROs += _amount * positions[_holder].TST / tstTotal;
}
for (uint256 i = 0; i < pendingStakes.length; i++) {
pendingStakes[i].EUROs += _amount * pendingStakes[i].TST / tstTotal;
}
Steps:
When function
LiquidationPoolManager#distributeFees()is called, attacker will deposit huge amount of TST tokens, claim most of fees.Token and profit can be withdraw by calling
decreasePosition()function, when pending stake is more than 1 day.
The result is attacker do not have intention to contribute to the protocol but gained a high portion of the rewards, but the condition is it need 1 day to withdraw staked token. So the attack will be only possible if attacker already have tons of token or number of fee gained is high enough
Impact
Other holders will lose reward that they should have.
Tools Used
Manual review.
Recommendations
Pending position should not be able to claim fee reward.
Lead Judging Commences
frontrun-distrubutefees
frontrun-feedist-low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.