[PNM-002] Unfairness: the curator (or users with large shares) can always reject payout by sandwich attacks

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVault.sol#L410

Vulnerability details

Impact

15\% Attack

Description

The initiateBuyout function uses the current valuation (instead of the time-weighted average one) to determine buyoutRejectionValuation, making the curator (or any other early buyers with a relatively large sharing) able to reject whatever payout they are not satisfied with.

Specifically, it is a typical sandwich attack. After observing an unsatisfying payout, the curator could first sell out all his tokens/shares, which dramatically reduces the _currentValuation and also the buyoutRejectionValuation. After the initiateBuyout successes, the curator buy back all his tokens, which could further increase the TWAV later and make it easior to reject the buyout. Note that the curator sold and bought his tokens at the same position, so he does not suffer from any loss except a few fees.

Especially, when the curator (or any other users) holding more than 15\% sharing (i.e., REJECTION_PREMIUM), he can always reject a payout.

It is a serious attack since the attacker even does not require 50\%, but 15\% to manipulate the game.

PoC / Attack Scenario

• Curator Alice holds 15\% shares at the very beginning.
• After some trasactions, Bob tried to initiate a buyout.
• Alice is not satisified with Bob's buyout, so she front-runs to sell all her tokens.
  • Assume that before Alice's selling, the valuation is V, and after 0.85 V
• Bob's payout is executed, and the buyoutRejectionValuation would be 0.977 V, i.e., (1 + 0.15) * 0.85 V
• Alice buy back her tokens at the same price, and the valuation comes back to V which makes Bob's payout rejected.

Suggested Fix

Keep tracking the TWAV and use it as the baseline for buyoutRejectionValuation.

[HardlyDifficult]

Great thinking. It is tempting to agree with High risk for this. However it would be easy to see when someone was performing an attack like this. At that point Bob and other users could be advised to use a Flashbot private transaction to bypass the sandwich. The function of the protocol is impacted but it seems assets could be recovered - making this Medium risk.

[HardlyDifficult]

Comment from Kenzo:

The warden says "Note that the curator sold and bought his tokens at the same position, so he does not suffer from any loss except a few fees." However, in order to for Alice to buy back her tokens while rejecting Bob, she would have to wait one block between her sell-and-buyback. (Otherwise the TWAV won't get updated as it only updates before the first interaction in a block.) Therefore she is open to loss.

If we say that this loss is acceptable for this attack, then what is the difference between the issue POC and the following scenario:

• Bob initiates buyout
• Next block, Alice buys shares that reject Bob
• Next block, Alice sells shares Looks to me like this scenario is not different from what the warden describes, and this is normal functioning of protocol, unless I am missing something.

I think the suggested fix of the warden is a fair suggestion regardless, but it seems that the issue the warden is describing is not an issue.

That seems correct: Alice would suffer a loss here so the attack as described is not valid.