Open code423n4 opened 2 years ago
Duplicate of #28
Disagree with duplicate label as this shows a Value Extraction, front-running exploit. Medium severity as it's a way to "leak value"
This can be mitigated through addressing the "Vault value all tokens equally" issue
The issue is exactly the same as #28. Both issues present the exact same front-running example.
Handle
hickuphh3
Vulnerability details
Impact
Let us assume either of the following cases:
withdrawAll()
has been called on all active strategies to transfer funds into the vault._controller.strategies() = 0
Attempted withdrawals can be frontrun such that users will receive less, or even no funds in exchange for burning vault tokens. This is primarily enabled by the feature of having deposits in multiple stablecoins.
Proof of Concept
getPricePerFullShare()
of1e18
(1 vault token = 1 stablecoin). Alice has 1000 vault tokens, while Mallory has 2000 vault tokens, with the vault holdings being 1000 USDC, 1000 USDT and 1000 DAI.getPricePerFullShare()
now returns2e18
.Hence, Mallory is able to steal Alice's funds by frontrunning her withdrawal transaction.
Recommended Mitigation Steps
The withdrawal amount could be checked against
getPricePerFullShare()
, perhaps with reasonable slippage.