Frontrunning `updateStrategyRewards` allows users to exploit outdated `totalStaked` for unfair rewards
Summary
Users can manipulate the protocol by frontrunning the StakingPool::updateStrategyRewards transaction to take advantage of the outdated totalStaked value. When totalStaked becomes outdated due to changes in strategies, it is eventually updated via _updateStrategyRewards. However, users can submit transactions, such as PriorityPool::claimLSDTokens, before this update occurs to either avoid a loss or improperly gain rewards that should be distributed across all users. This manipulation undermines the fairness of the reward distribution and allows malicious users to exploit the protocol for personal gain.
Vulnerability Details
The issue arises from the way totalStaked is used in critical functions such as StakingPool::getSharesByStake() and StakingPool::getStakeByShares(). These functions rely on an up-to-date totalStaked value to calculate users' shares and LST. However, when there is a net change in strategies, totalStaked may become outdated, and the protocol must rebalance the accounting using StakingPool::_updateStrategyRewards.
A malicious user can frontrun the updateStrategyRewards() transaction by calling PriorityPool::claimLSDTokens to claim their rewards and LST before the total staked value is updated. This allows the user to either avoid sharing losses that would have been distributed among all users after the update, or take advantage of inflated rewards based on the outdated totalStaked value.
For example, if a user frontruns with a claim transaction before updateStrategyRewards() corrects a decrease in totalStaked, the user can avoid being penalized for the loss, and the deficit will instead be shared by the remaining users.
Impact
This vulnerability allows malicious users to avoid losses or unfairly profit from the protocol by manipulating the outdated totalStaked value. By frontrunning updateStrategyRewards, they can skew the reward distribution system, causing other users to bear the losses or receive less than their fair share of the rewards. This undermines the integrity of the protocol's reward system, leading to a loss of trust and potential financial damage to the protocol's users.
Tools Used
Manual
Recommendations
Avoid stepwise changes when it comes to variables that directly affect users balance.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.