sforman2000
commented
2 years ago Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/61 (high risk)
Closed code423n4 closed 2 years ago
sforman2000
commented
2 years ago Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/61 (high risk)
Lines of code
https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L142-L171
Vulnerability details
Impact
YieldManager.sol#L142-L171 YieldManager distributes yield according to the current state. Big whales can deposit into the protocol before the process yield is called and left the project.
Sandwich attacks are hard to mitigate and whales can always extract value from the blockchain. Many protocols just accept this as a fact. However, there are solutions to mitigate this.
Given the mev searchers are getting more sophisticated in strategy, I consider this is a medium-risk issue.
Proof of Concept
Please refer to this tweet. bout3fiddy MEV searcher can sandwich one trade with 100M funds.
Tools Used
Recommended Mitigation Steps
A common solution to mitigate this issue is to distribute rewards pro-rata to the staking time.
I found the solution AlchemistV2 adopts really elegant. AlchemistV2 It records the underlying token's price on every deposit and distributes rewards according to the time users join the pool.
To implement such a mechanism in Sturdy is difficult though, a easier way I can think of is to use the yieldFarming mechanism and distribute yields over a period of time. AToken can pull the rewards from the
yieldManagerwhen users withdraw.