If _addLiquidity is ever called with funds at stake (anything more than a few thousand dollars)
it becomes profitable for MEV bots and other frontrunners to frontrun the _addLiquidity() call by skewing
the pool reserves (lowering the amount of LP tokens returned to the protocol) and then taking advantage of
the extra liquidity, arbing the curve pool back to its unskewed value. Bots that do this already exist on the mainnet.
Handle
tensors
Vulnerability details
Impact
If _addLiquidity is ever called with funds at stake (anything more than a few thousand dollars) it becomes profitable for MEV bots and other frontrunners to frontrun the _addLiquidity() call by skewing the pool reserves (lowering the amount of LP tokens returned to the protocol) and then taking advantage of the extra liquidity, arbing the curve pool back to its unskewed value. Bots that do this already exist on the mainnet.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/strategies/NativeStrategyCurve3Crv.sol#L73
Recommended Mitigation Steps
Add a minimum amount out variable to all calls involving added liquidity.