Sandwich Chainlink Oracle update can enable riskless arbitrage
Summary
When chainlink updates the oracle price, a malicious actor can use own funds to sandwich the transaction and profit at the expense of the asset reserve of the protocol.
Vulnerability Detail
User deposits and withdraws asset from protocol, the asset price is retrieved from Chainlink Oracle.
Both deposit and withdrawal operations are process in rebalance(...) function, this function is supposed to be executed every 24 hours. However if there is no deposit or withdrawal, the function will not be executed.
Assuming LRT supports ETH and DAI, ETH price is 1000u and DAI price is 1u. There is no rebalance needed after 24 hours since the last rebalancing, Chainlink aggregator update transaction is broadcasted to the mempool, DAI price will become 0.98u after the transaction.
Bob can sandwich the price updated by submitting 4 transactions in the same block:
Front-run to mint 1 LRT by depositing 1000 DAI;
Back-run to request 1020 DAI withdrawal by transferring 1 LRT;
Back-run to call rebalance from an EOA;
Back-run to claim 1020 DAI.
Even when rebalance delay is not met, user can still sandwich to queue withdraw requests and asset will be extract after rebalance.
Impact
Some asset may be extracted from the protocol at each oracle update.
nevillehuang
commented
6 months ago
HSP
high
Sandwich Chainlink Oracle update can enable riskless arbitrage
Summary
When chainlink updates the oracle price, a malicious actor can use own funds to sandwich the transaction and profit at the expense of the asset reserve of the protocol.
Vulnerability Detail
User deposits and withdraws asset from protocol, the asset price is retrieved from Chainlink Oracle.
Both deposit and withdrawal operations are process in rebalance(...) function, this function is supposed to be executed every 24 hours. However if there is no deposit or withdrawal, the function will not be executed.
Assuming LRT supports ETH and DAI, ETH price is 1000u and DAI price is 1u. There is no rebalance needed after 24 hours since the last rebalancing, Chainlink aggregator update transaction is broadcasted to the mempool, DAI price will become 0.98u after the transaction.
Bob can sandwich the price updated by submitting 4 transactions in the same block:
Even when rebalance delay is not met, user can still sandwich to queue withdraw requests and asset will be extract after rebalance.
Impact
Some asset may be extracted from the protocol at each oracle update.
Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTCoordinator.sol#L121
Tool used
Manual Review
Recommendation
Add a delay mechanism to prevent withdrawing in the same block as minting.