Can sandwich large profits by staking and unstaking in SurplusGuildMinter

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/ProfitManager.sol#L396

Vulnerability details

Impact

Reasonably large profits, as accounted for in the ProfitManager, can be sandwiched by staking and unstaking in the SurplusGuildManager to take a significant share of the profits without taking on any risk.

Note that the same exploit can be performed by incrementing and decrementing gauge weight via holding the Guild token directly.

Proof of Concept

When a repayment or liquidation of a lending position results in profit for the protocol, the ProfitManager distributes that profit, with a portion of it going to gauge voters according to their gauge weight by incrementing the gaugeProfitIndex.

gaugeProfitIndex[gauge] =
    _gaugeProfitIndex +
    (amountForGuild * 1e18) /
    _gaugeWeight;

Since we're increasing the gaugeProfitIndex in a stepwise fashion, it's possible to sandwich this increase to take a share of the profits without incurring any of the risk of gauge voting.

Consider, for example, a circumstance where the amountForGuild is 10000 tokens, perhaps because a large position was liquidated. An MEV bot monitoring the mempool can see that this is about to occur and execute the following attack:

• Borrow a million peg tokens from Compound or Aave
• Mint CREDIT with the peg tokens in the SimplePSM
• Stake the CREDIT in the SurplusGuildMinter for the gauge which the profit was received from
  • Increases user gauge weight to 1,000,000, increases total gauge weight to e.g. 2,000,000
• Bundle notifyPnL transaction here
• Unstake the CREDIT
  • Attacker receives half the amountForGuild = 5000 tokens
• Redeem CREDIT for peg tokens in the SimplePSM
• Repay loan

Since the attacker only had their stake active for one transaction, which they knew was profitable, their position incurred absolutely 0 risk, stealing the profits from legitimate voters which are actually incurring risk. This disincentivizes actually staking/gauge voting which reduces the debt ceiling of LendingTerms and significantly detrimentally affects the entire protocol.

Tools Used

• Manual review

Recommended Mitigation Steps

Consider either enforcing positions to be locked for a period of time to ensure users all incur risk, or distribute profits over a period of time similarly to how profits are distributed to rebasing CREDIT.

Assessed type

Timing

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #877

[c4-pre-sort]

0xSorryNotSorry marked the issue as not a duplicate

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #994

[c4-judge]

Trumpero changed the severity to 2 (Med Risk)

[c4-judge]

Trumpero marked the issue as satisfactory