search

sherlock-audit / 2023-04-splits-judging

4 stars 1 forks source link

Bauer - Front-run attack to flash function #41

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Bauer

medium

Front-run attack to flash function

Summary

A bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs the setOracle() function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.

Vulnerability Detail

The flash() function is used to perform a flash loan by calling the _transferToTrader function to transfer tokens to the trader, then calling the swapperFlashCallback function to execute arbitrary code, and finally calling the _transferToBeneficiary function to transfer tokens to the beneficiary. 

    function flash(OracleImpl.QuoteParams[] calldata quoteParams_, bytes calldata callbackData_)
        external
        payable
        pausable
    {
        address _tokenToBeneficiary = $tokenToBeneficiary;
        (uint256 amountToBeneficiary, uint256[] memory amountsToBeneficiary) =
            _transferToTrader(_tokenToBeneficiary, quoteParams_);

        ISwapperFlashCallback(msg.sender).swapperFlashCallback({
            tokenToBeneficiary: _tokenToBeneficiary,
            amountToBeneficiary: amountToBeneficiary,
            data: callbackData_
        });

        uint256 excessToBeneficiary = _transferToBeneficiary(_tokenToBeneficiary, amountToBeneficiary);

        emit Flash(msg.sender, quoteParams_, _tokenToBeneficiary, amountsToBeneficiary, excessToBeneficiary);
    }

The tokens transferred to the beneficiary depend on the oracle's quote. A bad actor creates a malicious swapper contract and deposits some assets into the pool. A third-party attempts to exchange some assets from the pool by calling theflash() function. The bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs the setOracle() function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.

Impact

The user may suffer significant losses of assets

Code Snippet

https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L163-L166

Tool used

Manual Review

Recommendation