The VaderPoolV2mintFungible and mintSynth functions perform an unsafe nativeAsset.safeTransferFrom(from, address(this), nativeDeposit) with a parameter-specified from address.
Note that these functions are not called by the Router, they are directly called on the pool.
Therefore, users will usually be required to send two transactions, a first one approving the pool, and then a second one for the actual mintSynth.
An attacker can frontrun the mintSynth(IERC20 foreignAsset, uint256 nativeDeposit, address from, address to) function, use the same from=victim parameter but change the to parameter to the attacker.
Impact
It's possible to frontrun victims stealing their native token deposits and receiving synths / fungible tokens.
Recommended Mitigation Steps
Remove the from parameter and always perform the safeTransferFrom call with from=msg.sender.
Handle
cmichel
Vulnerability details
The
VaderPoolV2mintFungibleandmintSynthfunctions perform an unsafenativeAsset.safeTransferFrom(from, address(this), nativeDeposit)with a parameter-specifiedfromaddress.Note that these functions are not called by the Router, they are directly called on the pool. Therefore, users will usually be required to send two transactions, a first one approving the pool, and then a second one for the actual
mintSynth.An attacker can frontrun the
mintSynth(IERC20 foreignAsset, uint256 nativeDeposit, address from, address to)function, use the samefrom=victimparameter but change thetoparameter to the attacker.Impact
It's possible to frontrun victims stealing their native token deposits and receiving synths / fungible tokens.
Recommended Mitigation Steps
Remove the
fromparameter and always perform thesafeTransferFromcall withfrom=msg.sender.