The treasury manager sometimes sends BPT to the sNOTE contract and sNOTE are a claim on the total BPT balance.
From the docs:
Notional treasury management will periodically trade Notional protocol profits into ETH in order to purchase NOTE and increase the overall BPT share that sNOTE holders have a claim on.
These profits can be stolen by frontrunning this BPT.transfer with a deposit, catching the value, initiating a startCoolDown and then redeeming after REDEEM_WINDOW_SECONDS.
This captures a share of the BPT donations.
Recommended Mitigation Steps
There are several fixes for this. All the smart contract fixes require quite some effort.
The easiest mitigation is to do the BPT donations only through a private transaction (flashbots / ethermine) so they cannot be frontrun.
pauliax
commented
2 years ago
Handle
cmichel
Vulnerability details
The treasury manager sometimes sends BPT to the sNOTE contract and sNOTE are a claim on the total BPT balance.
From the docs:
These profits can be stolen by frontrunning this
BPT.transferwith adeposit, catching the value, initiating astartCoolDownand then redeeming afterREDEEM_WINDOW_SECONDS. This captures a share of the BPT donations.Recommended Mitigation Steps
There are several fixes for this. All the smart contract fixes require quite some effort. The easiest mitigation is to do the BPT donations only through a private transaction (flashbots / ethermine) so they cannot be frontrun.