Unfair tokens rewarded to users when ProfitManager distribute tokens to subscribers

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/tokens/ERC20RebaseDistributor.sol#L373 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/tokens/ERC20RebaseDistributor.sol#L382 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/tokens/ERC20RebaseDistributor.sol#L338

Vulnerability details

The ERC20RebaseDistrubtor::distribute rewards users without accounting for when and how many tokens they have. There isn't an access control or timelock system in the _mint function.

// ERC20RebaseDistributor.sol
    function distribute(uint256 amount) external {

Exploit Scenario: 1) ProfitManager wants to distribute 500 tokens to susbscribed rebased account. 2) Alice and Bob both have rebased accounts which should get 250 tokens each. 3) Malicious Charlie monitor the mempool, and summon 8 bots to frontrun distribute function. 4) Alice and Bob gets 50 tokens each. 5) Charlie bots accumulate 400 tokens.

This means that Alice and Bob loses 200 tokens each.

Impact

MEV bots monitor the mempool if distribute function is called by ProfitManager, the malicious attacker can summon hundreds of bots and request for mint frontrunning the distribute function allowing them to pocket the reward tokens.

Tools Used

Manual Review

Recommended Mitigation Steps

Reward users based on their token supply or only mint tokens via a allowed period.

Assessed type

MEV

[0xSorryNotSorry]

The submission does not provide any demonstration of the issue, reasoning and code blocks.

[c4-pre-sort]

0xSorryNotSorry marked the issue as insufficient quality report

[Trumpero]

Invalid assumptions and lacking evidence

[c4-judge]

Trumpero marked the issue as unsatisfactory: Insufficient quality