search

sherlock-audit / 2024-05-pooltogether-judging

13 stars 8 forks source link

0xSpearmint1 - Frontrunning liquidations consistently will lead to honest liquidators reverting and vault user's having less yield contributed to the PrizePool long term #74

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

0xSpearmint1

medium

Frontrunning liquidations consistently will lead to honest liquidators reverting and vault user's having less yield contributed to the PrizePool long term

Summary

Frontrunning liquidations consistently will lead to honest liquidators reverting and vault user's having less yield contributed to the PrizePool.

Vulnerability Detail

The issue is that a liquidation can easily be frontrun by a malicious liquidator to achieve the following 2 outcomes:

  1. Get the profit that the honest liquidator would have got
  2. Make the honest liquidator's Tx revert, dis-incentivizing them from being a liquidator in the future

This opens up the following attack vector

  1. Attacker creates a bot to monitor every liquidation event for every vault
  2. Honest user sends a Tx to liqudiate yield for a vault
  3. the attacker's bot sees (2) and frontruns it with his own liquidation Tx
  4. The attacker will make the profit of the liquidation
  5. The honest liquidators Tx will revert, dis-incentivizing him from being a liquidator in the future
  6. Attacker repeats (1-4) for every liquidation on every vault

It is important to note that the liquidations are done via a first come first served Dutch auction therefore it is always more profitable to wait for another user's Tx then frontrun it. Hence the malicious attack vector pathway is more profitable always than the honest user's pathway.

After a short period of time most other liquidators will stop participating since their Tx keeps reverting. This creates the monopoly for the attacker, at this point they can comfortably delay liquidations for greater profits at the expense of users.

Impact

Honest user's Tx reverts consistently, this will dis-incentivize honest liquidators from doing the important job of claiming yield, this will further contribute to less yield contributed to the PrizePool, therefore the vault users have less chance of winning a prize.

This can lead to a monopoly of liquidators. This is bad since they can purposely delay liquidations for increased profits at the expense of all other users, with low risk since it is a monopoly

Code Snippet

https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-tpda-liquidator/src/TpdaLiquidationPair.sol#L195

Tool used

Manual Review

Recommendation

This will require a complex solution

sherlock-admin4 commented 5 months ago

2 comment(s) were left on this issue during the judging contest.

infect3d commented:

there is no solution for front-run

infect3d commented:

this risk is inherent to blockchain

nevillehuang commented 5 months ago

Invalid, this is how liquidations are supposed to work. Whoever comes in to perform the liquidation first should be the one reaping the rewards.