processYield() restricts who can call this function to just the vault admin. Upon being processed, the treasury receives its fair share of the yield and the rest is transferred to the YieldManager.sol contract. To distribute yield, the manager calls distributeYield() to swap all reward tokens to the exchange token before depositing the yield into the lending pool.
A user can front-run this distribute action by depositing their funds into the pool, and then subsequently withdrawing their funds from the protocol after distribution. The user is rewarded for taking no risk in the protocol and they have effectively diluted the yield allocation to honest depositors of the protocol.
Recommended Mitigation Steps
Ensure that distributions are weighted according to deposit duration. It may be useful to utilise some streaming contract which is funded by yield distributions but actually spreads this yield over a number of blocks.
Lines of code
https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L118-L137
Vulnerability details
Impact
processYield()
restricts who can call this function to just the vault admin. Upon being processed, the treasury receives its fair share of the yield and the rest is transferred to theYieldManager.sol
contract. To distribute yield, the manager callsdistributeYield()
to swap all reward tokens to the exchange token before depositing the yield into the lending pool.A user can front-run this distribute action by depositing their funds into the pool, and then subsequently withdrawing their funds from the protocol after distribution. The user is rewarded for taking no risk in the protocol and they have effectively diluted the yield allocation to honest depositors of the protocol.
Recommended Mitigation Steps
Ensure that distributions are weighted according to deposit duration. It may be useful to utilise some streaming contract which is funded by yield distributions but actually spreads this yield over a number of blocks.