search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

no - Frontrun `harvest()` to get more rewards #72

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

no

high

Frontrun harvest() to get more rewards

Summary

Frontrun harvest() to get more rewards

Vulnerability Detail

    function _harvest (address _callFeeRecipient) private {
        // Claim rewards from gauge
        _claimEarnings();

        // Charge fees for Beefy and send them to the appropriate addresses, charge fees to accrued state fee amounts.
        (uint256 feeLeft) = _chargeFees(_callFeeRecipient, fees);

        // Reset state fees to 0. 
        fees = 0;

        // Notify rewards with our velo. 
@>      IRewardPool(rewardPool).notifyRewardAmount(output, feeLeft, 1 days);

        // Log the last time we claimed fees. 
        lastHarvest = block.timestamp;

        // Log the fees post Beefy fees.
        emit Harvest(feeLeft);
    }

We can see that left fee rewards arg given to rewardPool in _harvest(), An attacker can spot a transaction with a large reward in the memory pool, front-run it with staking on rewardPool, and gain more rewards.

Impact

gain more rewards

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L438

Tool used

Manual Review

Recommendation

Allocate fee rewards to the actual liquidity provider instead of the reward pool.

sherlock-admin4 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; Frequent harvests are the intention, so front-running them is okay.