uN2RVw5q
commented
2 years ago I think this is a duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/140.
Closed code423n4 closed 2 years ago
uN2RVw5q
commented
2 years ago I think this is a duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/140.
GalloDaSballo
commented
2 years ago Duplicate of #140
Handle
tensors
Vulnerability details
Impact
If _addLiquidity is ever called with funds at stake (anything more than a few thousand dollars) it becomes profitable for MEV bots and other frontrunners to frontrun the _addLiquidity() call by skewing the pool reserves (lowering the amount of LP tokens returned to the protocol) and then taking advantage of the extra liquidity, arbing the curve pool back to its unskewed value. Bots that do this already exist on the mainnet.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/strategies/NativeStrategyCurve3Crv.sol#L73
Recommended Mitigation Steps
Add a minimum amount out variable to all calls involving added liquidity.