liquidation is vulnerable to sandwich attacks #113
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/AMM.sol#L144
Vulnerability details
when an account is liquidated, there is no minimum amount of the swap, which makes it vulnerable for sandwich attacks.
Proof of Concept
Alice's long position can be liquidated, bob notices it and creates a short position,
then liquidates her position, thus swapping the base asset to the quote asset,
therefore reducing the base asset price,
then he redeems his short position and profits because the price went down.
Tools Used
manual review
Recommended Mitigation Steps
set quoteAssetLimit in
_reducePosition
to prevent the attackThe text was updated successfully, but these errors were encountered: