code423n4 commented 2 years ago

Handle

0xsanson

Vulnerability details

Impact

In the NativeStrategyCurve3Crv._harvest there are two instances that a bad actor could use to frontrun the harvest.

First, when we are swapping WETH to a stablecoin by calling _swapTokens(weth, _stableCoin, _remainingWeth, 1) the function isn't checking the slippage, leading to the risk to a frontun (by imbalancing the Uniswap pair) and losing part of the harvesting profits.

Second, during the _addLiquidity internal function: this calls stableSwap3Pool.add_liquidity(amounts, 1) not considering the slippage when minting the 3CRV tokens.

Proof of Concept

https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/strategies/NativeStrategyCurve3Crv.sol#L108

Tools Used

editor

Recommended Mitigation Steps

In the function _harvest(_estimatedWETH, _estimatedYAXIS) consider adding two additional estimated quantities: one for the swapped-out stablecoin and one for the minted 3CRV.

uN2RVw5q commented 2 years ago

On second thought, I think this is a valid issue.

consider adding two additional estimated quantities: one for the swapped-out stablecoin and one for the minted 3CRV.

This suggestion should be considered.

GalloDaSballo commented 2 years ago

Warden identified two paths for front-running

Since these are ways to extract value, severity is Medium

code-423n4 / 2021-09-yaxis-findings