search

code-423n4 / 2023-12-ethereumcreditguild-findings

9 stars 5 forks source link

Rewards to GUILD token holders are sandwichable #1265

Closed c4-bot-10 closed 6 months ago

c4-bot-10 commented 6 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L396-L399

Vulnerability details

Impact

The ProfitManager contract has a potential vulnerability where an attacker can perform a sandwich attack. This vulnerability arises from the way the notifyPnL function updates the gaugeProfitIndex for the reporting gauge immediately when a positive PnL is reported.

Entry points that call notifyPnL with a positive PnL are LendingTerm.repay(), LendingTerm.PartialRepay(), and in some cases AuctionHouse.bid(). Unlike rewards to CREDIT holders, rewards to GUILD holders aren't distributed gradually. This means an attacker can sandwich any of these calls, increasing their weight in this gauge, immediately call ProfitManager.claimGaugeRewards() or SurplusGuildMinter.getRewards() afterwards to reap the rewards, and then unstake/decrease their weight again.

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L396-L399 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L427-L435

Proof of Concept

An attacker can follow these steps to exploit the vulnerability:

  1. Monitor the blockchain for transactions that call LendingTerm.repay(), LendingTerm.PartialRepay(), or AuctionHouse.bid() during the first phase of an auction.
  2. When such a transaction is found, the attacker sends a transaction with a higher gas price to increase their weight in the gauge.
  3. The attacker then immediately calls claimGaugeRewards() or getRewards() to claim the rewards.
  4. Finally, the attacker unstakes or decreases their weight in the gauge.

This sequence of actions allows the attacker to unfairly claim more rewards than they should be entitled to.

Tools Used

Manual review

Recommended Mitigation Steps

To mitigate this vulnerability, consider implementing a mechanism to distribute GUILD rewards gradually, similar to how CREDIT rewards are distributed. This could prevent an attacker from being able to immediately claim rewards after increasing their weight in the gauge. Additionally, consider implementing measures to prevent rapid changes in gauge weight, such as rate limiting or cooldown periods.

Assessed type

Other

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as sufficient quality report

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as duplicate of #877

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as not a duplicate

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as duplicate of #994

c4-judge commented 5 months ago

Trumpero changed the severity to 2 (Med Risk)

c4-judge commented 5 months ago

Trumpero marked the issue as satisfactory