redbeans - user can void getting penalty by front running setPenaltyPercentages .

[sherlock-admin2]

redbeans

Medium

user can void getting penalty by front running setPenaltyPercentages .

Summary

In AirdropDistribution:claim, user can claim for airdrop using 4 options lets consider options 2 and 3 :

2. Tax Paid Early Claim (Top 80% - Tax paid): These users, while originally part of a vesting schedule, can pay a tax to skip the vesting. Once the tax is paid, they can claim the total amount directly without waiting for monthly releases.
3. Vested Claim (Top 80% - No Tax Paid): These users must follow the vesting schedule, which allows monthly claims between January 12th and June 12th.

If the user misbehaves then penalty is applied to the user but User can frontrun setPenaltyPercentages function by paying tax early and claiming.

Root cause

In AirdropDistribution:claim, there is no check to prevent frontrunning of setPenaltyPercentages.

Internal pre-conditions

NO_RESPONSE

External pre-conditions

1. User should in group Top 80.

Attack Path

1. User misbehaves which will get him penaltied.
2. User front-runs setPenaltyPercentages transaction , pays tax and calls claim AirdropDistribution:claim to claim all airdrop from all vesting scheldule .
3. User receives tokens without getting penaltied.

Impact

user can avoid penaltied by fron running setPenaltyPercentages

POC

NO_RESPONSE

Migation

we could prevent frontrun by using timelocks but not sure how we could prevent user who has already paid tax .