Sandwich Attack on InitialisePoolLastRunTime() Allows Forced Weight Updates and Price Manipulation
Summary
Sandwich attack vulnerability in UpdateWeightRunner::InitialisePoolLastRunTime() allows attackers to MEV profits by calling performUpdate() sandwiched by Swap orders on the pool.
Vulnerability Details
Attacker frontrun transaction
-
Monitor mempool for InitialisePoolLastRunTime() calls
-
Place buy orders for tokens that will appreciate after if performUpdate() is called immediately, Orders will be in small batches to bypass
maxTradeSizeRatio -
InitialisePoolLastRunTime() sets lastPoolUpdateRun to past timestamp
poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun = _time; -
Call performUpdate() which now passes timing check:
block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval -
Execute sell orders to profit from weight-driven price changes
Impact
Profits from predictable price movements
Undermines pool stability mechanisms
Tools Used
Manual review
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.