Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 42/114
Findings: 1
Award: $253.66
🌟 Selected for report: 0
🚀 Solo Findings: 0
253.665 USDC - $253.66
Lines of code https://github.com/code-423n4/2023-05-ajna/blob/76c254c0085e7520edd24cd2f8b79cbb61d7706c/ajna-core/src/RewardsManager.sol#L310-L318 # Vulnerability details Any user who is the first in the current epoch of the pool to update the bucket exchange rate will get 5% rewards. Others who come later will not. This exposes Maximal Extractable Value (MEV) opportunity, which incentivizes front-running.
Given the popularity of front-run bots and selfish miners on the blockchain, a malicious user can easily monitor the mempool. Whenever the reserve auction moves to the next epoch, he will send a prioritized private MEV transaction to claim the rewards. As a result, any normal user will never be able to get such a reward provided by the protocol to update bucket exchange rates. ## Tools Used Private Research Tool ## Recommended Mitigation Steps Allow only lenders to claim the 5% reward for updating bucket exchange rates.
#0 - c4-judge
2023-05-18T19:21:53Z
Picodes changed the severity to 2 (Med Risk)
#1 - c4-judge
2023-05-18T19:21:53Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-05-18T19:22:17Z
Picodes marked the issue as duplicate of #373
#3 - c4-judge
2023-05-30T21:24:58Z
Picodes marked the issue as satisfactory