Phoenix-Protocol-Group/phoenix-contracts

PHOAM-012: Pool admin can steal user swap funds via front-running

Closed this issue · 0 comments

Location

./contracts/pool/src/contract.rs:515
./contracts/pool/src/contract.rs:776

Description
The pool admin can front-run a swap call with an update_config function call to modify the pool swap fees. This will cause the pool divert the entire ask token return amount as platform fees, essentially leaving the user with less tokens than expected (up to a 100%).
In the swap function, the swap fees are included in the total return amount, which is used to verify that the swap spread falls within accepted values.

Additionally, the swap function does not allow users to specify the maximum allowed swap platform fee.
Plus, the update_config function does not enforce a cap on the total_fee_bps parameter, allowing it to be set up to 100% of the swapped amount.

Therefore, a malicious admin can increase the swap fees to 100% just before a swap is executed, causing the swap output tokens to be considered as platform fees.

Recommendation
Users should be able to provide the fee percentage they agree to when executing the swap. Additionally, the maximum swap fee that can be set by the pool admin should be capped.