search

sherlock-audit / 2023-11-covalent-judging

3 stars 2 forks source link

Bauer - Front-run attack on `rewardValidators()` #109

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

Bauer

medium

Front-run attack on rewardValidators()

Summary

rewardValidators() is susceptible to front-running, allowing attackers to capture protocol rewards.

Vulnerability Detail

In the rewardValidators() function, the protocol distributes rewards to Validators, thereby increasing the exchangeRate. 

            v.exchangeRate += uint128((uint256(amount - commissionPaid) * uint256(DIVIDER)) / v.totalShares);

            // commission is not compounded
            // commisison is distributed under the validator instance
            v.commissionAvailableToRedeem += commissionPaid;

            newRewardPool -= amount;

However, front-running is possible here. A malicious actor could observe that the staking manager is preparing to distribute rewards to Validators, stake in advance, wait for the rewards to be distributed and the exchangeRate to increase, quickly call redeemAllRewards() to claim the rewards, and then proceed to unstake.

Impact

The protocol is susceptible to front-running for obtaining rewards.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L262-L319

Tool used

Manual Review

Recommendation

Pause staking before distributing rewards.

Duplicate of #47

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid: a duplicate of issue 047 also; medium(4)