`MintExchangeRate` can change by admin any time, `claimMint()` allow claim for anyone can lead to a front-run attack when a wrong `MintExchangeRate` been set #271
The mint exchange rate of the epoch is set by the admin. The current system takes into account that if the admin sets an improper value, it can be corrected via the overrideExchangeRate() function.
If the previous incorrect value was lower, but not low enough to trigger an automatic pause, and then the admin sets a correct higher mint exchange rate, an attacker who observes this transaction could front-run and claimMint() for other users, except himself. forcing others to accept the incorrect, lower exchange rate.
Admin call setMintExchangeRate() set exchange rate for epoch 1 to 100
Admin discovered that 100 is the incorrect exchange rate for epoch 1, the correct value should be set to 110, so the admin call overrideExchangeRate() to set the exchange rate to 110.
The attacker observes the admin's overrideExchangeRate() transaction and quickly initiates transactions call claimMint() front-run admin's tx, claim the cash for other users in epoch 1 let them accept the exchange rate: 100.
Recommended Mitigation Steps
Consider only allow msg.sender claimMint for himself
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L241-L269
Vulnerability details
Impact
The mint exchange rate of the epoch is set by the admin. The current system takes into account that if the admin sets an improper value, it can be corrected via the
overrideExchangeRate()
function.If the previous incorrect value was lower, but not low enough to trigger an automatic pause, and then the admin sets a correct higher mint exchange rate, an attacker who observes this transaction could front-run and
claimMint()
for other users, except himself. forcing others to accept the incorrect, lower exchange rate.Proof of Concept
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L241-L269
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L487-L493
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L366-L385
Admin call
setMintExchangeRate()
set exchange rate for epoch 1 to100
Admin discovered that
100
is the incorrect exchange rate for epoch 1, the correct value should be set to110
, so the admin calloverrideExchangeRate()
to set the exchange rate to110
.The attacker observes the admin's
overrideExchangeRate()
transaction and quickly initiates transactions callclaimMint()
front-run admin's tx, claim thecash
for other users in epoch 1 let them accept the exchange rate:100
.Recommended Mitigation Steps
Consider only allow msg.sender
claimMint
for himself