# #41638 \[SC-Medium] Sandwich Attack on \`compound()\` Function Allows Value Extraction from Honest Depositors **Submitted on Mar 17th 2025 at 07:53:19 UTC by @DoD4uFN for** [**Audit Comp | Yeet**](https://immunefi.com/audit-competition/audit-comp-yeet) * **Report ID:** #41638 * **Report Type:** Smart Contract * **Report severity:** Medium * **Target:** * **Impacts:** * Theft of unclaimed yield ## Description ## Brief/Intro The `compound()` function in `MoneyBrinter.sol` allows the strategy manager to swap reward tokens and deposit them into `BeradromeFarmPlugin`, increasing the share price. However, this function is vulnerable to a sandwich attack, where an attacker can front-run the compound transaction by minting shares before it executes and then immediately selling after the share price increases, allowing them to extract a portion of the compounded rewards at the expense of honest depositors. ## Vulnerability Details The vulnerability arises due to the predictable and public nature of the `compound()` function’s execution. The attacker can monitor the mempool for `compound()` transactions and execute the following steps: 1. **Front-run the compound transaction:** The attacker mints new shares by depositing right before the `compound()` function executes. 2. **Let the compound transaction execute:** The function swaps reward tokens and deposits them into the farm, increasing the value of each share. 3. **Sell the inflated shares:** The attacker then sells their shares immediately after, capturing a portion of the newly compounded rewards. This results in an unfair redistribution of yield, where honest depositors receive less benefit from the compounding process while the attacker profits. ### Relevant Code Snippet ```solidity function compound( address[] calldata swapInputTokens, IZapper.SingleTokenSwap[] calldata swapToToken0, IZapper.SingleTokenSwap[] calldata swapToToken1, IZapper.KodiakVaultStakingParams calldata stakingParams, IZapper.VaultDepositParams calldata vaultStakingParams ) public override onlyStrategyManager nonReentrant returns (uint256) { uint256 initialSupply = totalSupply(); uint256 shareValueBefore = previewRedeem(initialSupply); _approveTokens(swapInputTokens, swapToToken0, swapToToken1); (uint256 islandTokensMinted, uint256 vaultSharesMinted) = zapper.zapInWithMultipleTokens(swapParams, stakingParams, vaultStakingParams); _depositIntoFarm(islandTokensMinted); uint256 shareValueAfter = previewRedeem(initialSupply); require(shareValueAfter >= shareValueBefore, "MoneyBrinter: Bad Compound"); return islandTokensMinted; } ``` ## Impact Details This exploit enables an attacker to extract value from the yield compounding process, leading to loss of rewards for honest depositors. ## References [MoneyBrinter:compound](https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol#L199-L227) ## Proof of Concept ## Proof of Concept 1. The attacker monitors the mempool for an impending `compound()` transaction. 2. They submit a transaction to deposit assets and mint shares, ensuring it gets confirmed right before `compound()` executes. 3. Once `compound()` executes, increasing the share price, the attacker sells their shares immediately after, capturing the newly compounded rewards. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/yeet/41638-sc-medium-sandwich-attack-on-compound-function-allows-value-extraction-from-honest-depositors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.