Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

obront - Referrers can front run orders to increase referral fee #29

Closed
sherlock-admin opened this issue Nov 17, 2022 · 1 comment
Closed

obront - Referrers can front run orders to increase referral fee #29

sherlock-admin opened this issue Nov 17, 2022 · 1 comment
Labels
Has Duplicates Medium Sponsor Disputed

Comments

@sherlock-admin
Copy link
Contributor

obront

medium

Referrers can front run orders to increase referral fee

Summary

The setReferrerFee() function in BondBaseTeller.sol has no authorization and can be called by anyone. This can be used by a referrer to front run a user's transaction to temporarily increase the referral fee for the user's transaction.

Vulnerability Detail

When bonds are purchased from BondBaseTeller.sol, the referrer fee is calculated by taking the individual referrer's fee (represented as a fraction of 1e5) and multiplying it by the amount purchased:

uint256 toReferrer = amount_.mulDiv(referrerFees[referrer_], FEE_DECIMALS);

This fee is set in the setReferrerFee() function:

function setReferrerFee(uint48 fee_) external override nonReentrant {
    if (fee_ > 5e3) revert Teller_InvalidParams();
    referrerFees[msg.sender] = fee_;
}

Because a referrer can set their own fee at any time and there are no validations for a user that the referral fee won't increase above what they expected when they signed their transaction, a referrer can watch the mempool and frontrun user transactions to temporarily increase their fee, earn a higher share of rewards, and lower the fee back.

Impact

Users may submit a transaction with a clear expectation of the referral fees that will be charged, and end up with a different fee than expected.

Code Snippet

https://github.com/sherlock-audit/2022-11-bond/blob/main/src/bases/BondBaseTeller.sol#L87-L91

Tool used

Manual Review

Recommendation

There are a few ways to avoid this issue, most of which have some complexity. The two options I'd recommend:

  1. Along with the referral fee, save the old referral fee and the block at which it was set. Then, in purchase(), you can set the fee with block.number > blockSet ? referralFee : oldReferralFee.

  2. Have users include a "slippage" value that sets the max amount of referral fee they are willing to pay. This can be set to the current referral fee, and will only error if the fee is increased after they signed their transaction.
This was referenced Nov 17, 2022
Closed
Closed
@Evert0x
Copy link

Evert0x commented Nov 17, 2022

Message from sponsor

Acknowledge that this is front-runnable in theory. However, we do not believe it is an issue in practice for two reasons.

    1. Users set a minAmountOut in their purchase call which acts as a slippage check. If users set a tight slippage (which they should), then changing the referrer fee prior to the purchase should cause it to revert due to slippage.
    1. Front-ends/referrers who front-run their users are likely not going to have users for very long, especially in a competitive interface environment.

@Evert0x Evert0x closed this as completed Nov 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates Medium Sponsor Disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Evert0x @sherlock-admin