c4-judge commented 5 months ago

Judge has assessed an item in Issue #481 as 2 risk. The relevant finding follows:

5, Attacker can front run distribute reward from GUILD token and steal newly added rewards

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SurplusGuildMinter.sol#L114-#L212

Vulnerability details

Every time the notifyPnL() get called, if in the config, there is a part of token distribute for guild, there will be credit token distribute for guild holder:

        if (amountForGuild != 0) {
            uint256 _gaugeWeight = uint256(GuildToken(guild).getGaugeWeight(gauge));
            if (_gaugeWeight != 0) {
                uint256 _gaugeProfitIndex = gaugeProfitIndex[gauge];
                if (_gaugeProfitIndex == 0) {
                    _gaugeProfitIndex = 1e18;
                }
                gaugeProfitIndex[gauge] = _gaugeProfitIndex + (amountForGuild * 1e18) / _gaugeWeight;
            }

This enables a well-known attack vector, in which the attacker will deposit peg token to get credit token, stake them and unstake right after claim reward.

Impact

Not everytime user can claim reward and get profit like this, it depend alot about other factor: total credit token can be minted by RateLimitedMinter, total profit gained, ....., but the attack effectively steal the part of the newly added rewards

Recommendation

Reward distribute by staking guild token should be distributed like credit token rebasing,

c4-judge commented 5 months ago

Trumpero marked the issue as duplicate of #994

c4-judge commented 5 months ago

Trumpero marked the issue as satisfactory

code-423n4 / 2023-12-ethereumcreditguild-findings

Upgraded Q -> 2 from #481 [1706648292480] #1280

5, Attacker can front run distribute reward from GUILD token and steal newly added rewards

Lines of code

Vulnerability details

Impact

Recommendation