Skip to content
This repository has been archived by the owner on May 26, 2024. It is now read-only.

mstpr-brainbot - Yield can be sandwiched #48

Closed
sherlock-admin opened this issue Nov 25, 2023 · 1 comment
Closed

mstpr-brainbot - Yield can be sandwiched #48

sherlock-admin opened this issue Nov 25, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 25, 2023
edited by sherlock-admin2
Loading

mstpr-brainbot

high

Yield can be sandwiched

Summary

During a reinvestment, the total claims of the pool increase, but the shares remain unaffected. Consequently, users who hold vault shares experience an increase in LP token claims on their shares. However, the reinvestment call is susceptible to being sandwiched. If a user deposits just before the reinvestment and exits immediately afterward, that user pockets the profit without being an actual vault shareholder. This action disrupts the yield of other vault shareholders.

Vulnerability Detail

Let's consider a scenario where the total vault shares amount to 100 tokens, and there are 100 LP tokens in the vault. When the reinvestment manager triggers a reinvestment, buying an additional 10 LP tokens, Alice, an MEV expert, notices this transaction in the mempool. She swiftly enters the vault just before the reinvestment occurs, mints tokens at a 1:1 ratio, and immediately after the reinvestment function, Alice exits the vault, claiming the yield for herself. This maneuver adversely affects other vault holders, resulting in them receiving lower yields, while Alice gains an unfair advantage by being in the vault for only one block.

Moreover, Alice can scale up this attack significantly. By depositing a large number of tokens via flash loans, she can acquire a substantial share from the vault. As she holds the majority of the shares, Alice receives the bulk of the yield. Consequently, other vault shareholders receive minimal yield, significantly diminishing their returns.

Impact

High since it can block the yield

Code Snippet

https://github.com/sherlock-audit/2023-10-notional/blob/7aadd254da5f645a7e1b718e7f9128f845e10f02/leveraged-vaults/contracts/vaults/common/SingleSidedLPVaultBase.sol#L385-L411

Tool used

Manual Review

Recommendation
@github-actions github-actions bot added High A valid High severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Nov 27, 2023
@github-actions github-actions bot mentioned this issue Nov 27, 2023
Closed
@jeffywu
Copy link

jeffywu commented Nov 28, 2023

The Notional Vault framework prevents users from entering and exiting within a 5 minute period:
https://github.com/notional-finance/contracts-v2/blob/deploy/arbitrum-one/contracts/external/actions/VaultAccountAction.sol#L230

Therefore reinvestments cannot be purely sandwiched.

@jeffywu jeffywu added the Sponsor Disputed The sponsor disputed this issue's validity label Nov 28, 2023
@Czar102 Czar102 removed the High A valid High severity issue label Dec 3, 2023
@sherlock-admin2 sherlock-admin2 changed the title Huge Cinnamon Dalmatian - Yield can be sandwiched mstpr-brainbot - Yield can be sandwiched Dec 4, 2023
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Dec 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jeffywu @Czar102 @nevillehuang @sherlock-admin @sherlock-admin2