Vault: Withdrawals can be frontrun to cause users to burn tokens without receiving funds in return

[code423n4]

Handle

hickuphh3

Vulnerability details

Impact

Let us assume either of the following cases:

1. The vault / protocol is to be winded down or migrated, where either the protocol is halted and withdrawAll() has been called on all active strategies to transfer funds into the vault.
2. There are 0 strategies. Specifically, _controller.strategies() = 0

Attempted withdrawals can be frontrun such that users will receive less, or even no funds in exchange for burning vault tokens. This is primarily enabled by the feature of having deposits in multiple stablecoins.

Proof of Concept

1. Assume getPricePerFullShare() of 1e18 (1 vault token = 1 stablecoin). Alice has 1000 vault tokens, while Mallory has 2000 vault tokens, with the vault holdings being 1000 USDC, 1000 USDT and 1000 DAI.
2. Alice attempts to withdraw her deposit in a desired stablecoin (Eg. USDC).
3. Mallory frontruns Alice's transaction and exchanges 1000 vault tokens for the targeted stablecoin (USDC). The vault now holds 1000 USDT and 1000 DAI.
4. Alice receives nothing in return for her deposit because the vault no longer has any USDC. getPricePerFullShare() now returns 2e18.
5. Mallory splits his withdrawals evenly, by burning 500 vault tokens for 1000 USDT and the other 500 vault tokens for 1000 DAI.

Hence, Mallory is able to steal Alice's funds by frontrunning her withdrawal transaction.

Recommended Mitigation Steps

The withdrawal amount could be checked against getPricePerFullShare(), perhaps with reasonable slippage.

[GainsGoblin]

Duplicate of #28

[GalloDaSballo]

Disagree with duplicate label as this shows a Value Extraction, front-running exploit. Medium severity as it's a way to "leak value"

This can be mitigated through addressing the "Vault value all tokens equally" issue

[GainsGoblin]

The issue is exactly the same as #28. Both issues present the exact same front-running example.