Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users may avoid gauge loss penalty by frontrunning the LendingTerm notifying loss #1216

Closed
c4-bot-5 opened this issue Dec 28, 2023 · 6 comments
Closed

Users may avoid gauge loss penalty by frontrunning the LendingTerm notifying loss #1216

c4-bot-5 opened this issue Dec 28, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-877 sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L725-L825
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L695-L722
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L292-L405

Vulnerability details

In case of LendingTerm.onBid(), or LendingTerm.forgive(), ProfitManager.notifyPnL() is called to signal loss. If the loss is signalled, any holder of losing gauge has to apply the loss. Currently, the loss may be very bad for the user, because all guild tokens voted on the gauge are burned with even slightest loss. Naturally, noone wants that happening to them, hence anyone can watch the mempool for transactions incurring losses and frontrun it, saving all their GUILD tokens.

Impact

Users are able to game gauge loss penalty by frontrunning the LendingTerm notifying loss.

Proof of Concept

  1. Transaction signalling loss to the protocol is put into mempool.
  2. User observes it and frontruns the transaction to withdraw their stake.
  3. The user backruns the transaction and stakes again.
  4. The user skipped the punishment completely.

Tools Used

Manual analysis

Recommended Mitigation Steps

Consider introducing lock time for gauge staking and unstaking.

Assessed type

Error
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 28, 2023
c4-bot-7 added a commit that referenced this issue Dec 28, 2023
@c4-bot-7
deliriusz issue #1216
2d8edfa
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Dec 29, 2023
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #906

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #877

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Jan 25, 2024
@c4-judge
Copy link
Contributor

Trumpero marked the issue as unsatisfactory:
Invalid

2 similar comments
@c4-judge
Copy link
Contributor

Trumpero marked the issue as unsatisfactory:
Invalid

@c4-judge
Copy link
Contributor

Trumpero marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-877 sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-bot-5