Closed c4-bot-7 closed 7 months ago
The issue is well demonstrated, properly formatted, contains a coded POC. Marking as HQ.
0xSorryNotSorry marked the issue as high quality report
0xSorryNotSorry marked the issue as duplicate of #906
0xSorryNotSorry marked the issue as duplicate of #877
Trumpero marked the issue as unsatisfactory: Invalid
Trumpero marked the issue as unsatisfactory: Invalid
Trumpero marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L158-L212
Vulnerability details
Impact
Any user can avoid slashing losses with a frontrun call that will create a loss on the system (eg. invoke
notifyPnL
with a negative amount). This should not be correct as he can then stake with no risk at all and only get rewards. Users who stake get rewards in exchange for carrying a risk of slashing in case of losses.Proof of Concept
There is no mechanism to prevent frontrunning the call that creates a loss. An attacker could simply unstake his whole stake before the loss is notified to the system. This way he gets the full benefit of earning rewards with no risk of slashing.
Add this test to
SurplusGuildMinter.t.sol
file and add importimport "@forge-std/console.sol";
Run withforge test --match-path ./test/unit/loan/SurplusGuildMinter.t.sol -vvv
Tools Used
Manual review
Recommended Mitigation Steps
Implement a mechanism where a user has to
requestUnstake()
and afterunstakeDelay
they can callunstake()
. TheunstakeDelay
can be really small. Even1 block
would be enough as they cannot frontrun the transaction anymore. Would be a good idea to put more in case of a low gas tx.Assessed type
Timing