search

sherlock-audit / 2023-12-flatmoney-judging

9 stars 7 forks source link

cheatcode - Front-Running Attacks in settleFundingFees and updateGlobalPositionData functions #272

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

cheatcode

medium

Front-Running Attacks in settleFundingFees and updateGlobalPositionData functions

Summary

The settleFundingFees and updateGlobalPositionData functions are vulnerable to front-running attacks. These functions use the current price of the underlying asset, which can be manipulated by front-running.

Vulnerability Detail

The settleFundingFees function settles the funding fees between longs and LPs. If an attacker can front-run this transaction, they could potentially manipulate the funding fees to their advantage.

Similarly, the updateGlobalPositionData function updates the global position data based on the current price of the underlying asset. A front-runner could potentially manipulate the price used in this function by executing a transaction that changes the price before this function is executed.

Impact

Front-running transactions

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/FlatcoinVault.sol#L216 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/FlatcoinVault.sol#L173

Tool used

Manual Review

Recommendation

sherlock-admin commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 4 months ago

Invalid, insufficient proof of how price can be manipulated. Additionally, front-running is not possible on base chain based on comments in #49