Providers can lose part of reward due to frontrunning
Proof of Concept
The liquidation() function after execution, transfers the reduceAsset reward to provider but when called by the keeper, the keeper reward is deducted from the providers reward and sent to the keeper.
if (provider == msg.sender) {
collateralAsset.transfer(msg.sender, reducedAsset);
} else {
reward2keeper = (reducedAsset * configurator.vaultKeeperRatio(address(this))) / 110;
collateralAsset.transfer(provider, reducedAsset - reward2keeper); // @audit amount get deducted from providers reward and sent to msg.sender
collateralAsset.transfer(msg.sender, reward2keeper);
}
However due to lack of verification or access control on msg.sender, anyone not necessarily the keeper at anytime can perform this and take keeper reward from provider's expected reward after the provider has given allowance to the contract by frontrunning. This attack can be executed on the providers every single time they try liquidating a borrower
Tools Used
Visual Studio Code
Recommended Mitigation Steps
Consider implementing an access control or permission on the msg.sender
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/pools/base/LybraEUSDVaultBase.sol#L173 https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/pools/base/LybraPeUSDVaultBase.sol#L140
Vulnerability details
Impact
Providers can lose part of reward due to frontrunning
Proof of Concept
The liquidation() function after execution, transfers the reduceAsset reward to provider but when called by the keeper, the keeper reward is deducted from the providers reward and sent to the keeper.
However due to lack of verification or access control on msg.sender, anyone not necessarily the keeper at anytime can perform this and take keeper reward from provider's expected reward after the provider has given allowance to the contract by frontrunning. This attack can be executed on the providers every single time they try liquidating a borrower
Tools Used
Visual Studio Code
Recommended Mitigation Steps
Consider implementing an access control or permission on the msg.sender
Assessed type
Access Control