Sandwich Attack in Reward Validators

Summary

The vulnerability in OperationalStaking allows a malicious validator to exploit transaction order by staking before and after the reward distribution, strategically claiming rewards meant for other validators. This front-running manipulation results in significant gains for the malicious actor, compromising the fairness of reward distribution

Vulnerability Detail

The OperationalStaking contains a vulnerability in the rewardValidators functions that exposes it to potential sandwich attacks, a form of front-running manipulation in transaction order. The vulnerability arises when the owner deposits reward tokens into the contract so when StakingManager subsequently triggering the reward distribution to validators. If a malicious validator closely monitors the transaction pool and pending transactions, they can identify the rewardValidators transaction and called stake function to "buy/mint" alot of shares_tokens, right before the rewardValidators transaction immediately accrue a portion of the collected rewards that were meant to be attributed to other validators. so after reward is distribute among validators, The malicious validator can then immediately claim these rewards(redeemRewards), unstake. therefore the malicious validator stealing rewards from other validator.

Impact

The vulnerability allows a malicious validator to exploit transaction order, executing stake transactions strategically before and after reward distribution, leading to substantial gains through front-running and validator_shares manipulation.