Full Report
Maximal/Miner Extractable Value (MEV) is a measure of the profit that a miner can make by ordering the blocks they produce. For an attacker, this can be includes, excluding or reordering the transactions altogether. Mushroom Finance has built in protections in place that make flash loans attacks not possible; only externally owned accounts (EOA) cannot make a call to the contract. However, the concept of the arbitrary ordering of blocks is still important here. A sandwich attack is when a miner orders their transaction, a victim transaction then another controlled transaction. This bundle of transaction within a block could make the miner block very profitable, given the proper sequence of events. Sandwich attacks are are version of frontrunning. In the case of the Mushroom Finance contract, there is a function called harvest(). When this is triggered, the yields for the earned funds will be distributed pro-rata (based upon the amount of inserted funds. The attacker can manipulate the harvest function call but sandwiching two other transactions. First, an attacker would need to use their own funds in order to distort the price of the Uniswap pool. Then, in the sandwich, the put the harvest() call. The final transaction has the the Uniswap pool go back to its undistorted state, taking some of the harvest funds. To fix this problem, which had been exploited by several bots in the past, the fix is calling harvest more frequently. If there's no money to be gained, then there's no attack. The malicious ordering of transactions within a block is a fascinating attack. I wonder if it's possible to simulate this on a local fork for demonstration purposes?
Analysis Summary
# Vulnerability: Mushrooms Finance Yield Theft via MEV Sandwich Attack
## CVE Details
- **CVE ID**: Not Assigned (DeFi protocol vulnerabilities are frequently tracked via bug bounty disclosures rather than CVE IDs)
- **CVSS Score**: High (Internal classification)
- **CWE**: CWE-436 (Interpretation Conflict) / CWE-662 (Improper Synchronization)
## Affected Systems
- **Products**: Mushrooms Finance
- **Versions**: All versions prior to the May 2021 patch.
- **Configurations**: Smart contracts utilizing `harvest()` functions for yield distribution that rely on decentralized exchange (DEX) pool states (e.g., Uniswap) for price or value calculations.
## Vulnerability Description
The vulnerability stems from the protocol's susceptibility to **Maximal/Miner Extractable Value (MEV)** via a "sandwich attack." While Mushrooms Finance implemented a check to ensure only Externally Owned Accounts (EOAs)—and not smart contracts—could trigger the `harvest()` function to prevent flash loan exploits, this did not protect against transaction reordering within a block.
The flaw allows an attacker to manipulate the yield distribution by:
1. Distorting a related Uniswap pool price using their own liquid assets.
2. Forcing the protocol’s `harvest()` transaction to occur while the pool is in a manipulated state.
3. Reversing the pool distortion in the same block to capture a portion of the distributed yield as profit.
## Exploitation
- **Status**: Exploited in the wild (Confirmed at blocks 12312954 and 12319752).
- **Complexity**: Medium (Requires MEV searcher infrastructure or Flashbots access).
- **Attack Vector**: Network (Blockchain/Mempool).
## Impact
- **Confidentiality**: None
- **Integrity**: Low (Yield distribution is redirected, but core deposits remain safe).
- **Availability**: None
## Remediation
### Patches
- The protocol team implemented a logic change via their **Keep3r** automation to trigger the `harvest()` function at a significantly higher frequency.
### Workarounds
- **Frequent Harvesting**: By keeping individual harvest amounts small, the cost of the gas and swap fees required to manipulate the Uniswap pool exceeds the potential profit for an attacker, making the exploit economically unviable.
- **Slippage Protection**: Implementing strict slippage bounds or using Oracles (like Chainlink) for price feeds rather than spot prices from a single DEX pool.
## Detection
- **Indicators of Compromise**: Bundled transactions in a single block where the `harvest()` call is preceded by a large swap (distorting price) and followed by an opposing swap by the same actor.
- **Detection Methods**: Monitoring the Ethereum mempool via Flashbots Relay or using MEV-specific explorers like EigenPhi.
## References
- Immunefi Bugfix Review: [https://medium[.]com/immunefi/mushrooms-finance-theft-of-yield-bugfix-review-16bd6961388f]
- Exploitation Tx 1: [https://etherscan[.]io/tx/0xec730c75c3b95debc6fb83216661d7832d2a761a1883c0c6b7593d33a860780c]
- Exploitation Tx 2: [https://etherscan[.]io/tx/0xa0ac048a8109e20c853da140c123f46f8a758fd8021978ff5f1fa749babbc70f]
- Exploitation Tx 3: [https://etherscan[.]io/tx/0x7ae34b797960cf6cbe2fac97f986482d5594896fc441414458da688ca6ed98cd]