Part 2

Summary

The initiateSwap function includes a check for the vault’s asset balance: ctx.vaultAssetBalance < ctx.expectedAssetOut. However, a malicious actor can front-run the user and decrease the vaultAssetBalance during the fulfillSwap. This leads to a Denial of Service (DoS) attack, preventing the legitimate user from completing their swap request due to an apparent insufficient vault balance.

Vulnerability Details

The vulnerability lies in the following check within the initiateSwap function:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/branches/StabilityBranch.sol#L264-L265

The initiateSwap function verifies that the vault has enough assets to fulfill the swap request. However, between the time the swap is initiated and when the function processes the transaction, a malicious actor could perform a front-running attack by submitting an initiateSwap and the keeper executes fulfillSwap to update the balance.

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/branches/StabilityBranch.sol#L409

When the legitimate user’s initiateSwap function is finally processed, the check for sufficient balance (ctx.vaultAssetBalance < ctx.expectedAssetOut) will fail because the vault balance has been manipulated. As a result, the swap request will be reverted, preventing the legitimate user from completing their transaction.

Impact

A malicious actor can exploit the front-running vulnerability in the initiateSwap and fulfillSwap functions to create a Denial of Service (DoS) attack that prevents legitimate users from completing their swap transactions.

Tools Used

Manual code review

Recommended Mitigation

To introduce lock value that prevents the vault balance from being altered during the execution of the swap transaction