Closed c4-bot-1 closed 7 months ago
https://docs.code4rena.com/awarding/judging-criteria/supreme-court-decisions-fall-2023#verdict-proposal-penalties-for-invalid-submissions
Exact same submissions as xiaohuanxiong_0311
See #194
MarioPoneder marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L753-L756
Vulnerability details
Impact
Detailed description of the impact of this finding. description: The identified vulnerability stems from the potential for an attacker to engage in front-running within the
_checkpointGlobalReward
function of the staking contract. By monitoring the blockchain for transactions calling thereceiveRewards
function and placing a high gas fee transaction to deposit a substantial amount of tokens just before thereceiveRewards
transaction is confirmed, the attacker can manipulate therewardPerTokenAccumulatedCheckpoint
andlastCheckpointTime
to reflect the inflated token amount. Consequently, when thereceiveRewards
transaction is processed, rewards are calculated and distributed based on this inflated stake, allowing the attacker to claim a disproportionate share of the rewards upon withdrawal. This manipulation effectively allows the attacker to extract miner-extractable value (MEV) and constitutes theft of unclaimed yield, severely impacting the fairness of reward distribution and resulting in financial losses for honest stakers.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L753-L756
Tools Used
Meta Scan
Recommended Mitigation Steps
Finding Recommendation: To address this vulnerability and prevent front-running attacks on the rewards distribution mechanism, it is recommended to implement safeguards such as:
By implementing these safeguards, the contract can mitigate the risk of MEV extraction through front-running attacks and ensure a fair distribution of rewards to all stakers.
Assessed type
MEV