Sandwich Attacks in BondingCurve's Price Calculation Functions
c4-bot-3 opened this issue · 0 comments
Lines of code
Vulnerability details
Description
In BondingCurve contract, the getPrice, getBuyPrice, and getSellPrice functions calculate the price of shares based on the current supply (supply_) and the amount being bought or sold (amount_). The calculation is deterministic based on the current state of the contract, particularly the supply_.
An attacker can observe a pending transaction on the network where a user intends to buy or sell shares. The attacker can then send a transaction that changes the supply of shares before the user's transaction is processed. This manipulation affects the price calculation in the user's transaction. For example, if a user intends to buy shares, the attacker could buy shares first, increasing the price. The user's transaction would then execute at a higher price than anticipated.
Once the user's transaction is executed at a manipulated price, the attacker can send another transaction to reverse their initial manipulation (e.g., selling the shares they bought at a profit). This sequence of transactions (front-run, user transaction, back-run) allows the attacker to profit at the user's expense.
If the supply is increased right before the user's buy transaction, the getPrice function will calculate a higher price, and the user will end up paying more than expected. Conversely, if the supply is decreased right before the user's sell transaction, the getPrice function will calculate a lower price, and the user will receive less than expected.
Impact
The impact of this issue is significant as it allows attackers to exploit users by manipulating the share price, leading to financial losses for users. The lack of slippage protection means that users have no way to ensure they pay or receive the expected amount when buying or selling shares.
Tools Used
Manual Review
Recommendation
Introduce a mechanism where users can specify a maximum slippage (i.e., the maximum acceptable difference between the expected and actual prices) when submitting buy or sell transactions. If the price deviates beyond this threshold, the transaction should revert.
Assessed type
Other