Closed sherlock-admin4 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
merlinboii commented:
OOS. The function already introduce the slipage check for redeemInstant and the price data fee has the min/max acceptable range checks
admin
High
Front-Running and Price Manipulation at _convertMTokenToUsd and _convertUsdToToken functions for RedemptionVault contract
Summary
Line: https://github.com/sherlock-audit/2024-08-midas-minter-redeemer/blob/main/midas-contracts/contracts/RedemptionVault.sol#L151 Line: https://github.com/sherlock-audit/2024-08-midas-minter-redeemer/blob/main/midas-contracts/contracts/RedemptionVault.sol#L154
The rates for mToken and the output token are fetched via the _convertMTokenToUsd and _convertUsdToToken functions during a transaction. If there is a delay between fetching these rates and performing the final transfer, an attacker could manipulate the price feed data (if it's not secured) to benefit from the price difference.
Root Cause
Price manipulation
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
An attacker could manipulate the price feed data (if it's not secured) to benefit from the price difference.
PoC
Deploy the VulnerableContract with an initial price (e.g., 1 Ether per token). Deploy the FrontRunningAttacker contract with references to the VulnerableContract and the token contract. The attacker observes a legitimate user's transaction to buy tokens at the current price. The attacker calls frontRun to: Manipulate the price to a lower value using manipulatePrice. Buy tokens at the manipulated, lower price. Reset the price to the original value. The legitimate user's transaction is executed, but the price has already been restored, so they receive fewer tokens than expected, while the attacker profits from the difference.
Mitigation
Mitigation: Consider using Chainlink’s latestAnswer with a time-weighted average price (TWAP) or implementing a check to ensure the rate hasn’t drastically changed between the time it was first fetched and when the transfer occurs.