#41638 [SC-Medium] Sandwich Attack on `compound()` Function Allows Value Extraction from Honest Depositors
Was this helpful?
Was this helpful?
Submitted on Mar 17th 2025 at 07:53:19 UTC by @DoD4uFN for
Report ID: #41638
Report Type: Smart Contract
Report severity: Medium
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol
Impacts:
Theft of unclaimed yield
The compound()
function in MoneyBrinter.sol
allows the strategy manager to swap reward tokens and deposit them into BeradromeFarmPlugin
, increasing the share price. However, this function is vulnerable to a sandwich attack, where an attacker can front-run the compound transaction by minting shares before it executes and then immediately selling after the share price increases, allowing them to extract a portion of the compounded rewards at the expense of honest depositors.
The vulnerability arises due to the predictable and public nature of the compound()
function’s execution. The attacker can monitor the mempool for compound()
transactions and execute the following steps:
Front-run the compound transaction: The attacker mints new shares by depositing right before the compound()
function executes.
Let the compound transaction execute: The function swaps reward tokens and deposits them into the farm, increasing the value of each share.
Sell the inflated shares: The attacker then sells their shares immediately after, capturing a portion of the newly compounded rewards.
This results in an unfair redistribution of yield, where honest depositors receive less benefit from the compounding process while the attacker profits.
This exploit enables an attacker to extract value from the yield compounding process, leading to loss of rewards for honest depositors.
The attacker monitors the mempool for an impending compound()
transaction.
They submit a transaction to deposit assets and mint shares, ensuring it gets confirmed right before compound()
executes.
Once compound()
executes, increasing the share price, the attacker sells their shares immediately after, capturing the newly compounded rewards.