Front-Run Attack On Keeper's `StrategyMainnet::claimAndSwap` Function Can Force Transaction To Revert
Summary
The claimAndSwap function in the protocol can be front-run by attackers to manipulate prices and force transaction to revert. This allows malicious actors to prevent keepers from executing core strategy operations, potentially maintaining depeg situations and disrupting protocol operations.
Vulnerability Details
Vulnerable code:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L92
The claimAndSwap function performs several checks to ensure profitable swaps:
Checks that
amountToClaim < minOutChecks that
balAfter - balBefore > minOut
An attacker can monitor the mempool for keeper transactions and front-run them using either:
A single large swap to significantly move the price
Multiple smaller swaps to gradually affect the price (aka. block space filling)
Example attack sequence:
An attacker monitors the mempool for a keeper's transaction. He can also create a bot to do that.
When he sports a keeper's transaction he front-run it and manipulates the price
Finally the keeper's transaction executes and reverts due to price change
Impact
Keepers cannot execute core strategy operations when needed
Depeg situations could be maintained artificially
Higher costs for keepers due to failed transactions
Potential loss of arbitrage opportunities for the strategy
Tools Used
Manual Review
Recommendations
The thing that can be done to be protected againts this attack is to use private mempools or Flashbots for keeper transactions to prevent front-running.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.