Closed c4-bot-10 closed 6 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #877
0xSorryNotSorry marked the issue as not a duplicate
0xSorryNotSorry marked the issue as duplicate of #994
Trumpero changed the severity to 2 (Med Risk)
Trumpero marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L396-L399
Vulnerability details
Impact
The
ProfitManager
contract has a potential vulnerability where an attacker can perform a sandwich attack. This vulnerability arises from the way thenotifyPnL
function updates thegaugeProfitIndex
for the reporting gauge immediately when a positive PnL is reported.Entry points that call
notifyPnL
with a positive PnL areLendingTerm.repay()
,LendingTerm.PartialRepay()
, and in some casesAuctionHouse.bid()
. Unlike rewards to CREDIT holders, rewards to GUILD holders aren't distributed gradually. This means an attacker can sandwich any of these calls, increasing their weight in this gauge, immediately callProfitManager.claimGaugeRewards()
orSurplusGuildMinter.getRewards()
afterwards to reap the rewards, and then unstake/decrease their weight again.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L396-L399 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L427-L435
Proof of Concept
An attacker can follow these steps to exploit the vulnerability:
LendingTerm.repay()
,LendingTerm.PartialRepay()
, orAuctionHouse.bid()
during the first phase of an auction.claimGaugeRewards()
orgetRewards()
to claim the rewards.This sequence of actions allows the attacker to unfairly claim more rewards than they should be entitled to.
Tools Used
Manual review
Recommended Mitigation Steps
To mitigate this vulnerability, consider implementing a mechanism to distribute GUILD rewards gradually, similar to how CREDIT rewards are distributed. This could prevent an attacker from being able to immediately claim rewards after increasing their weight in the gauge. Additionally, consider implementing measures to prevent rapid changes in gauge weight, such as rate limiting or cooldown periods.
Assessed type
Other