Loss From tokenDifferenceFromLiquidations Can be Avoided Through Frontrunning
Summary
LP's for LenderCommitmentGroup_Smart can avoid value loss paid to liquidators by frontrunning a liquidation with a withdrawal.
Vulnerability Detail
When liquidation occurs, there is a "token difference" given or payed by liquidators. When the liqudiators are paid the token difference, this is a loss to shares owners of LenderCommitmentGroup_Smart via decreasing the value returned by getPoolTotalEstimatedValue()
Share owners can avoid this loss by frontrunning the liquidation with burnSharesToWithdrawEarnings(). This will cause unfair loss for share owners who do not front run as the frontrunner effectiveless avoids all the decrease in exchange rate. The frontrunner can also immediately redeposit after the liquidation tranasction.
Impact
Share owners can unfairly avoid loss of value due to principal given to liqudiators. Existing share owners consequently suffer a larger proportion of the loss.
Bandit
high
Loss From
tokenDifferenceFromLiquidationsCan be Avoided Through FrontrunningSummary
LP's for
LenderCommitmentGroup_Smartcan avoid value loss paid to liquidators by frontrunning a liquidation with a withdrawal.Vulnerability Detail
When liquidation occurs, there is a "token difference" given or payed by liquidators. When the liqudiators are paid the token difference, this is a loss to shares owners of
LenderCommitmentGroup_Smartvia decreasing the value returned by getPoolTotalEstimatedValue()Share owners can avoid this loss by frontrunning the liquidation with
burnSharesToWithdrawEarnings(). This will cause unfair loss for share owners who do not front run as the frontrunner effectiveless avoids all the decrease in exchange rate. The frontrunner can also immediately redeposit after the liquidation tranasction.Impact
Share owners can unfairly avoid loss of value due to principal given to liqudiators. Existing share owners consequently suffer a larger proportion of the loss.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L422-L472
Tool used
Manual Review
Recommendation
Implement a withdrawal delay to prevent flash withdrawal/deposits.
Duplicate of #110