Bauer - `distributeYield()` may be front-run by bad actors to steal reward

[sherlock-admin4]

Bauer

high

distributeYield() may be front-run by bad actors to steal reward

Summary

In the distributeYield() function, the protocol deposits rewards into the corresponding contract and then updates the rewardRate. Malicious users can front-run to steal rewards from it

Vulnerability Detail

The function distributeYield() is responsible for distributing available yield within this contract to appropriate entities. Within this function, the protocol calls depositReward() to update the value of rewardData[_rewardsToken].rewardRate. The issue here is that malicious users can front-run distributeYield(). A bad actor monitors transactions in the transaction pool and, upon detecting distributeYield() in the pool, first calls stake() to stake tokens. Then, after distributeYield() executes, they call getRewards() to profit.

  // Distribute protocol earnings.
        for (uint256 i = 0; i < protocolRecipients.recipients.length; i++) {
            address _recipient = protocolRecipients.recipients[i];
            if (_recipient == IZivoeGlobals_YDL(GBL).stSTT() ||_recipient == IZivoeGlobals_YDL(GBL).stJTT()) {
                IERC20(distributedAsset).safeIncreaseAllowance(_recipient, _protocol[i]);
                IZivoeRewards_YDL(_recipient).depositReward(distributedAsset, _protocol[i]);
                emit YieldDistributedSingle(distributedAsset, _recipient, _protocol[i]);
            }

Impact

Front-running to profit, causing reduced rewards for other users

Code Snippet

https://github.com/sherlock-audit/2024-03-zivoe/blob/main/zivoe-core-foundry/src/ZivoeYDL.sol#L213-L310

Tool used

Manual Review

Recommendation

[pseudonaut]

Not valid

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, staking for a short time does nothing, since reward for staking is accumulated over time, not instantly.