This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
dirk_y - User can perform sandwich attack on withdrawReserves for profit #22
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Will Fix
The sponsor confirmed this issue will be fixed
dirk_y
high
User can perform sandwich attack on withdrawReserves for profit
Summary
A malicious user could listen to the mempool for calls to
withdrawReserves
, at which point they can perform a sandwich attack by callinguserDeposit
before the withdraw reserves transaction and thenuserWithdraw
after the withdraw reserves transaction. They can accomplish this using a tool like flashbots and make an instantaneous profit due to changes in exchange rates.Vulnerability Detail
When a user deposits or withdraws from the vault, the exchange rate of the token is calculated between the token itself and its dToken. As specified in an inline comment, the exchange rate is calculated like so:
// exchangeRate = (cash + totalBorrows -reserves) / dTokenSupply
where
reserves = info.totalReserves - info.withdrawnReserves
. When the owner of the vault callswithdrawReserves
the withdrawnReserves value increases, so the numerator of the above formula increases, and thus the exchange rate increases. An increase in exchange rate means that the same number of dTokens is now worth more of the underlying ERC20.Below is a diff to the existing test suite that demonstrates the sandwich attack in action:
Impact
An attacker can perform a sandwich attack on calls to
withdrawReserves
to make an instantaneous profit from the protocol. This effectively steals funds away from other legitimate users of the protocol.Code Snippet
https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/D3Vault/D3VaultFunding.sol#L235
Tool used
Manual Review
Recommendation
There are a couple of ways this type of attack could be prevented:
The text was updated successfully, but these errors were encountered: