The bETH reward contract allocates new rewards sent to the contract whenever update_global_index is called.
It should be possible to time the transfer of the rewards to the contract and frontrun it with increasing one's token balance to capture more rewards, then decrease one's balance again.
Validators can do it when they see the reward transfer, standard users might be able to time it as well if these reward transfers do not happen randomly.
GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bEth-contracts/contracts/anchor_beth_reward/src/user.rs#L201
Vulnerability details
Impact
The bETH reward contract allocates new rewards sent to the contract whenever
update_global_indexis called. It should be possible to time the transfer of the rewards to the contract and frontrun it with increasing one's token balance to capture more rewards, then decrease one's balance again. Validators can do it when they see the reward transfer, standard users might be able to time it as well if these reward transfers do not happen randomly.Recommended Mitigation Steps
Consider not distributing all payments directly on reward transfer /
update_global_indexcall but stream them over a fixed period, similar to what is done with the "schedules" inanchor/contracts/anchor-token-contracts/contracts/staking/src/contract.rs.