Missing Transaction Order Protections Enable Arbitrage Exploitation

Summary

The OperationalStaking contract contains functions like redeemRewards, stake, and unstake that are vulnerable to front-running attacks. These functions involve token transfers or significant state changes that malicious actors could exploit for profit.

Vulnerability Detail

The vulnerability arises because these functions do not use any mitigation mechanisms to prevent transaction order manipulation. This allows attackers to observe pending transactions and insert their own transactions to front-run legitimate users.

Impact

Successful front-running attacks can lead to financial loss for legitimate users through unfavorable rates, lost staking opportunities, or price slippage. Over time, reduced trust in the platform may also lead to declined usage.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L584C5-L587C6 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L400 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L451

function redeemRewards(uint128 validatorId, address beneficiary, uint128 amount) external whenNotPaused {

  _redeemRewards(validatorId, beneficiary, amount);

}

Tool used

Manual Review

Recommendation

Commit-Reveal Scheme: Implement a 2-phase process to hide sensitive transaction details.
Time-Lock Mechanism: Add a delay between transaction submission and execution.

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 6 months ago

Invalid, seemingly a duplicate of #34, but the attack path is not clear.

sherlock-audit / 2023-11-covalent-judging

cheatcode - Missing Transaction Order Protections Enable Arbitrage Exploitation #120