rewardValidators() is susceptible to front-running, allowing attackers to capture protocol rewards.
Vulnerability Detail
In the rewardValidators() function, the protocol distributes rewards to Validators, thereby increasing the exchangeRate.
v.exchangeRate += uint128((uint256(amount - commissionPaid) * uint256(DIVIDER)) / v.totalShares);
// commission is not compounded
// commisison is distributed under the validator instance
v.commissionAvailableToRedeem += commissionPaid;
newRewardPool -= amount;
However, front-running is possible here. A malicious actor could observe that the staking manager is preparing to distribute rewards to Validators, stake in advance, wait for the rewards to be distributed and the exchangeRate to increase, quickly call redeemAllRewards() to claim the rewards, and then proceed to unstake.
Impact
The protocol is susceptible to front-running for obtaining rewards.
Bauer
medium
Front-run attack on
rewardValidators()
Summary
rewardValidators()
is susceptible to front-running, allowing attackers to capture protocol rewards.Vulnerability Detail
In the
rewardValidators()
function, the protocol distributes rewards to Validators, thereby increasing theexchangeRate
.However, front-running is possible here. A malicious actor could observe that the staking manager is preparing to distribute rewards to Validators, stake in advance, wait for the rewards to be distributed and the
exchangeRate
to increase, quickly callredeemAllRewards()
to claim the rewards, and then proceed to unstake.Impact
The protocol is susceptible to front-running for obtaining rewards.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L262-L319
Tool used
Manual Review
Recommendation
Pause staking before distributing rewards.
Duplicate of #47