Closed sherlock-admin2 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, insufficient proof of how price can be manipulated. Additionally, front-running is not possible on base chain based on comments in #49
cheatcode
medium
Front-Running Attacks in settleFundingFees and updateGlobalPositionData functions
Summary
The
settleFundingFees
andupdateGlobalPositionData
functions are vulnerable to front-running attacks. These functions use the current price of the underlying asset, which can be manipulated by front-running.Vulnerability Detail
The
settleFundingFees
function settles the funding fees between longs and LPs. If an attacker can front-run this transaction, they could potentially manipulate the funding fees to their advantage.Similarly, the
updateGlobalPositionData
function updates the global position data based on the current price of the underlying asset. A front-runner could potentially manipulate the price used in this function by executing a transaction that changes the price before this function is executed.Impact
Front-running transactions
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/FlatcoinVault.sol#L216 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/FlatcoinVault.sol#L173
Tool used
Manual Review
Recommendation