Revolution Protocol - SadeeqXmosh's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/ERC20TokenEmitter.sol#L152

Vulnerability details

Vulnerability Details:

The ERC20TokenEmitter contract features a buyToken() method enabling users to acquire governance ERC20VotesToken, with token prices determined by a linear VRGDA contract. This contract's pricing mechanism relies on daily emissions. However, a critical issue arises as users are unable to specify slippage. In the absence of slippage protection, malicious users could front-run trades, increasing the emission schedule. For instance, if a user wants to buy tokens, a malicious user could front run the trade causing an increase in emission schedule, The user's trade would be executed at unexpectedly higher prices. This vulnerability poses a risk of adverse execution outcomes for users.

Impact:

Users would be forced to accept trades at very bad prices.

Proof of Concept:

   //Absence of slippage could allow users to buy tokens at very terrible prices
    //Alice sends a buyToken[] transaction to the mempool,Bob spots the tx and creates the same trade
    //further pushing the tokenEmitter schedule forward which exponentially increases price and when alice's trade
    //get's executed it gets executed at a very high price than expected.
    function buyToken(
        address[] calldata addresses,
        uint256[] calldata basisPointSplits,
        ProtocolRewardAddresses calldata protocolRewardsRecipients
    ) public payable nonReentrant whenNotPaused returns (uint256 tokensSoldWad) {

Tools Used

Vscodium

Recommended Mitigation Steps:

Add a slippage parameter to the buyToken method , to determine minimum acceptable amounts by the users.

Assessed type

MEV