When the queue item is inserted it is asserted through the minRequiredDeposit modifier that queue[i].assets is at least equal to the relayer fee. However, if the relayer fee is increased, this invariant can be broken. An attacker would be able to frontrun the relayer fee increase with the insert of an item that only covers the old fee. This would cause the mintDepositInQueue to revert and all unprocessed items that are still in queue before the malicious item to not be processable.
minhtrng
medium
Increasing relayer fee could break minting of deposits
Summary
If the relayer fee is increased, the function to mint deposits could be broken due to underflow.
Vulnerability Detail
The function
mintDepositInQueue
calculates the amount of shares to mint as difference of assets and relayerFee:When the queue item is inserted it is asserted through the
minRequiredDeposit
modifier thatqueue[i].assets
is at least equal to the relayer fee. However, if the relayer fee is increased, this invariant can be broken. An attacker would be able to frontrun the relayer fee increase with the insert of an item that only covers the old fee. This would cause themintDepositInQueue
to revert and all unprocessed items that are still in queue before the malicious item to not be processable.Impact
Harm to users, break of functionality.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/ae7f210d8fbf21b9abf09ef30edfa548f7ae1aef/Earthquake/src/v2/Carousel/Carousel.sol#L334-L338
Tool used
Manual Review
Recommendation
Check that
queue[i].assets >= relayerFee
and pop if notDuplicate of #1