Frontrunning Exploit Due to Lack of Slippage Protection in Asset Conversion Functions
Summary
The functions CreditDelegationBranch::_convertAssetsToUsdc and _convertUsdcToAssets in the smart contract are vulnerable to frontrunning attacks due to the absence of slippage protection. This vulnerability occurs because these functions allow asset swaps without specifying a slippage tolerance, enabling malicious actors to front-run transactions.
In a frontrunning attack, an attacker can observe a pending transaction in the mempool and exploit price fluctuations by executing a trade with higher gas fees, causing the price to change before the target transaction is executed. As a result, the user may end up receiving fewer assets than expected, which leads to financial losses.
To prevent such exploits, slippage protection should be implemented to ensure that the swap price remains within an acceptable range. Without this protection, users are exposed to the risk of losing assets due to unfavorable price changes caused by frontrunning.
Vulnerability Details
Impact
Unfavorable Conversion Rates: Without slippage protection, users may receive significantly less value than expected when converting assets. The absence of slippage tolerance could result in large discrepancies between the expected output and the actual output of the swap, causing users to lose funds.
Front-running Risk: An attacker can exploit this vulnerability by front-running the transaction. By executing a transaction with a higher gas fee or manipulating the price feed before the contract executes, the attacker could manipulate the trade to gain an advantage. This could lead to the user receiving far fewer tokens than they expected or even losing funds entirely.
Tools Used
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.