Description

When a liquidator wants to liquidate a user with a bad collateral ratio and earn some extra rewards, he calls KittyPool::purrgeBadPawsition. The transaction is first submitted to the mempool. Transactions in the mempool are public, which means that MEV bots can monitor them for opportunities to exploit. MEV relies on reordering transactions from the order in which they were submitted to a new, more profitable order. An MEV bot can submit the same transaction with a higher gas price to execute before the liquidator's transaction. For example, the bot could initiate its own liquidation on the same user to capture the rewards intended for the original liquidator.

Impact

This attack would allow a MEV bot to frontrun the initial transaction of the liquidator, liquidating the user and getting the additional rewards. The liquidator's transaction would be executed afterwards and would probably be reverted because the user with a bad collateral ratio was already liquidated.

Tools Used

Manual review, vscode

Recommended Mitigation

One possible solution is to use an MEV blocker, which is essentially a specialized RPC endpoint, such as https://cow.fi/mev-blocker. The RPC works by managing a permissionless network of validators and hiding transactions from the public mempool. The MEV bots cannot frontrun or sandwich these user transactions.