function _harvest (address _callFeeRecipient) private {
// Claim rewards from gauge
_claimEarnings();
// Charge fees for Beefy and send them to the appropriate addresses, charge fees to accrued state fee amounts.
(uint256 feeLeft) = _chargeFees(_callFeeRecipient, fees);
// Reset state fees to 0.
fees = 0;
// Notify rewards with our velo.
@> IRewardPool(rewardPool).notifyRewardAmount(output, feeLeft, 1 days);
// Log the last time we claimed fees.
lastHarvest = block.timestamp;
// Log the fees post Beefy fees.
emit Harvest(feeLeft);
}
We can see that left fee rewards arg given to rewardPool in _harvest(), An attacker can spot a transaction with a large reward in the memory pool, front-run it with staking on rewardPool, and gain more rewards.
no
high
Frontrun
harvest()
to get more rewardsSummary
Frontrun
harvest()
to get more rewardsVulnerability Detail
We can see that left fee rewards arg given to rewardPool in
_harvest()
, An attacker can spot a transaction with a large reward in the memory pool, front-run it with staking on rewardPool, and gain more rewards.Impact
gain more rewards
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L438
Tool used
Manual Review
Recommendation
Allocate fee rewards to the actual liquidity provider instead of the reward pool.