Radiant Tangerine Nightingale
Medium
When a user has paid the airdrop tax, the user is supposed to pay the penalty for the months that have passed as well as the current one. By frontrunning the admin's setPenaltyPercentages() tx, they can bypass the penalty for the current month.
Penalties are set per month and are determined by the user not fulfilling certain conditions in the prior month. When a user has paid the tax, they're supposed to pay the tax for any of the months that have passed as well as the current one, monthsPassed + 1, see AirdropDistribution.sol:249.
By frontrunning the admin's setPenaltyPercentages() tx, they can execute their claim before the penalty is set by paying the tax.
The tax percentages is linearly decreasing, reaching 0% when the airdrop is fully claimable for everybody, see AirdropTaxCollector.sol:232. Thus, it will likely be profitable to pay the tax and bypass the penalty.
\
\
- User watches mempool for admin's
setPenaltyPercentages()tx to frontrun it. (by paying the tax as late as possible, the minimize the tax amount). - User pays tax and claims their airdrop before the penalty is set for the current month.
This will only affect the protocol's value and is determined by the user's airdrop amount + penalty percentage.
\
Airdrop should only be claimable after the current month's penalties have been set.