Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses
Summary
Users can redeem their vaultShares then redeem PT/YT tokens before a price decrease of a supported LST/LRT token in order to avoid losses.
Vulnerability Detail
Notional allows users to redeem their PendlePrincipalTokenVault shares using _executeInstantRedemption(), where the corresponding portion of PT Tokens is exchanged for TOKEN_OUT_SY (e.g., weETH) in the Pendle protocol, and then the SysTokenOut is traded back to ETH in the market.
Using PendlePTEtherFiVault as an example:
Users who staked in PendlePTEtherFiVault can:
• Monitor the mempool and the beacon chain to know in advance if the eETH tokens will lose value.
• Frontrun the value loss by redeeming vaultShares via redeemFromNotional(), which will call `PendlePrincipalToken::_executeInstantRedemption()`. This process includes redeeming PT for weETH in the Pendle protocol, and finally exchanging it for ETH.
Because the value drop is still not reflected in the Notional protocol, the staker will be able to withdraw their funds without being affected by the losses.
In the case of eETH, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls to rebase() in the EtherFi LiquidityPool contract.
Impact
Stakers can avoid losses, which implies honest stakers will lose more than they should.
ZeroTrust
Medium
Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses
Summary
Users can redeem their vaultShares then redeem PT/YT tokens before a price decrease of a supported LST/LRT token in order to avoid losses.
Vulnerability Detail
Notional allows users to redeem their PendlePrincipalTokenVault shares using
_executeInstantRedemption()
, where the corresponding portion of PT Tokens is exchanged for TOKEN_OUT_SY (e.g., weETH) in the Pendle protocol, and then the SysTokenOut is traded back to ETH in the market.Using PendlePTEtherFiVault as an example: Users who staked in PendlePTEtherFiVault can:
Because the value drop is still not reflected in the Notional protocol, the staker will be able to withdraw their funds without being affected by the losses.
In the case of eETH, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls to rebase() in the EtherFi LiquidityPool contract.
Impact
Stakers can avoid losses, which implies honest stakers will lose more than they should.
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/PendlePrincipalToken.sol#L140
Tool used
Manual Review
Recommendation
Introduce a withdraw queue, this will prevent this kind of frontrunning attacks.