A bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs the setOracle() function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.
Vulnerability Detail
The flash() function is used to perform a flash loan by calling the _transferToTrader function to transfer tokens to the trader, then calling the swapperFlashCallback function to execute arbitrary code, and finally calling the _transferToBeneficiary function to transfer tokens to the beneficiary.
The tokens transferred to the beneficiary depend on the oracle's quote.
A bad actor creates a malicious swapper contract and deposits some assets into the pool. A third-party attempts to exchange some assets from the pool by calling theflash() function. The bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs the setOracle() function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.
Bauer
medium
Front-run attack to flash function
Summary
A bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs the
setOracle()
function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.Vulnerability Detail
The
flash()
function is used to perform a flash loan by calling the _transferToTrader function to transfer tokens to the trader, then calling the swapperFlashCallback function to execute arbitrary code, and finally calling the _transferToBeneficiary function to transfer tokens to the beneficiary.The tokens transferred to the beneficiary depend on the oracle's quote. A bad actor creates a malicious swapper contract and deposits some assets into the pool. A third-party attempts to exchange some assets from the pool by calling the
flash()
function. The bad actor monitors the mempool and identifies that someone is attempting to exchange the assets. The actor then front-runs thesetOracle()
function and modifies the oracle to a malicious one. As a result, the user obtains an incorrect quote, and the protocol ends up transferring more tokens from the third-party to the beneficiary due to the malicious actor's actions.Impact
The user may suffer significant losses of assets
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L163-L166
Tool used
Manual Review
Recommendation