cergyk - Private vault NFT sale can be front-run to withdraw the funds

[sherlock-admin2]

cergyk

medium

Private vault NFT sale can be front-run to withdraw the funds

Summary

A malicious owner of a private vault can withdraw all funds before selling the corresponding ownership NFT. This can lead to the sale of an empty vault, defrauding the buyer.

Vulnerability Detail

In the ArrakisMetaVaultPrivate contract, ownership of the vault is represented by an NFT and it can be sold on the secondary market, effectively transferring ownership of the vault and its funds to the buyer: README.md#L86-L88. But a malicious seller can exploit the system by front-running and withdrawing all funds from the vault just before the NFT transfer is finalized, leaving the buyer with an empty vault: ArrakisMetaVaultPrivate.sol#L63-L80.

Scenario

1. The owner of the private vault initiates a sale of the ownership NFT on a secondary market.
2. Before the NFT transfer is completed, the owner front-runs a call to the ArrakisMetaVaultPrivate::withdraw function to withdraw all funds from the vault.
3. The buying transaction gets through, and the buyer receives an empty vault.

Impact

Buyers can be defrauded by purchasing what they believe is a fully funded vault, only to find it empty. This undermines the trust in the system and can lead to substantial financial losses for buyers.

Code Snippet

• ArrakisMetaVaultPrivate.sol#L63-L80

Tool used

Manual Review

Recommendation

Implement a timelock that prevents withdrawals shortly before and after the NFT ownership transfer.