Part 2

Summary

There is no minimum time requirement for providing liquidity an lp must meet before providing fees, therefore, unfairly, auser that has provided liquidity for 5 seconds is entitled to the same amount of rewards per share as a user who has provided liquidity for months.

Vulnerability Details

FeeDistrbutionBranch::claimFees has no minimum deposit requirement for fees to be distributed as a result, upon a malicious actor seeing a receiveMarketFee transaction with a large amount of assets being sent to the contract, they could front run the transaction to get a deposit and stake, then claim their rewards and instantly unstake and initiate withdraw to get the withdrawal process started. Then they can call redeem and easily extract value from the protocol despite not providing liquidity for any time before receiving the reward.

This attack could also become even more impactful and low cost through the use of a flash loan.

Note that front running is possible on monad and additionally, also similar types of issue has been found in previous contests on other contest platforms

https://solodit.cyfrin.io/issues/m-19-attacker-can-manipulate-interest-distribution-by-exploiting-asset-transfers-and-fee-accrual-mechanism-sherlock-sentiment-v2-git
https://solodit.cyfrin.io/issues/m-3-a-part-of-eth-rewards-can-be-stolen-by-sandwiching-claimdelayedwithdrawals-sherlock-rio-network-git

This attack only works if the reward distrbution is high and the fee is low, however, this is a valid possibility as the fee could be as low as 0%.

Impact

Loss of rewards for honest liquidity providers

Tools Used

Manual review

Recommendations

Implement a time lock so that users must have deposited for a minimum length of time before being eligible for rewards.