Malicious private vault owners can honeypot other users by withdrawing vault liquidity before a transfer/sale
Summary
Every private vault is represented by an NFT which is minted to the deployer of the vault, this is to make the transfer/sale of vault ownership easier in later stages. A malicious owner can honeypot other users by frontrunning the transfer/sale transaction and withdrawing all funds.
Vulnerability Detail
When a vault is deployed, a nft is minted to the account deploying the vault so that the ownership of said vault can be represented:
According to documentation this is "to tokenize the ownership of private vaults, thus rendering them transferable."
If any of these vaults are listed for sale on NFT marketplaces like OpenSea, a malicious user listing the vault for sale can create a "honeypot"-style attack by listing the vault for sale with funds within it. When an unbeknownst buyer/user buys the vault, the malicious user frontruns the buy transaction and withdraws all of the vault funds to another address.
By doing this, the malicious user pockets both the sale fee and the vault contents.
Create a mechanic in which the transfer of vaults would be possible only if all withdraw functionality is paused and can be unpaused after the transfer is completed.
iamandreiski
medium
Malicious private vault owners can honeypot other users by withdrawing vault liquidity before a transfer/sale
Summary
Every private vault is represented by an NFT which is minted to the deployer of the vault, this is to make the transfer/sale of vault ownership easier in later stages. A malicious owner can honeypot other users by frontrunning the transfer/sale transaction and withdrawing all funds.
Vulnerability Detail
When a vault is deployed, a nft is minted to the account deploying the vault so that the ownership of said vault can be represented:
According to documentation this is "to tokenize the ownership of private vaults, thus rendering them transferable."
If any of these vaults are listed for sale on NFT marketplaces like OpenSea, a malicious user listing the vault for sale can create a "honeypot"-style attack by listing the vault for sale with funds within it. When an unbeknownst buyer/user buys the vault, the malicious user frontruns the buy transaction and withdraws all of the vault funds to another address.
By doing this, the malicious user pockets both the sale fee and the vault contents.
Impact
Malicious user can honeypot other users.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/64a7dc6ccb5de2824870474a9f35fd3386669e89/arrakis-modular/src/ArrakisMetaVaultFactory.sol#L244-L246
Tool used
Manual Review
Recommendation
Create a mechanic in which the transfer of vaults would be possible only if all withdraw functionality is paused and can be unpaused after the transfer is completed.