ZeroTrust - Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses

[sherlock-admin2]

ZeroTrust

Medium

Users can frontrun LSTs/LRTs tokens prices decrease in order to avoid losses

Summary

Users can redeem their vaultShares then redeem PT/YT tokens before a price decrease of a supported LST/LRT token in order to avoid losses.

Vulnerability Detail

Notional allows users to redeem their PendlePrincipalTokenVault shares using _executeInstantRedemption(), where the corresponding portion of PT Tokens is exchanged for TOKEN_OUT_SY (e.g., weETH) in the Pendle protocol, and then the SysTokenOut is traded back to ETH in the market.

Using PendlePTEtherFiVault as an example: Users who staked in PendlePTEtherFiVault can:

•   Monitor the mempool and the beacon chain to know in advance if the eETH tokens will lose value.
•   Frontrun the value loss by redeeming vaultShares via redeemFromNotional(), which will call `PendlePrincipalToken::_executeInstantRedemption()`. This process includes redeeming PT for weETH in the Pendle protocol, and finally exchanging it for ETH.

Because the value drop is still not reflected in the Notional protocol, the staker will be able to withdraw their funds without being affected by the losses.

In the case of eETH, a rebase token, an attacker can know if a balance drop will happen by monitoring the mempool for calls to rebase() in the EtherFi LiquidityPool contract.

Impact

Stakers can avoid losses, which implies honest stakers will lose more than they should.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/PendlePrincipalToken.sol#L140

Tool used

Manual Review

Recommendation

Introduce a withdraw queue, this will prevent this kind of frontrunning attacks.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Common issue in DeFi