Closed code423n4 closed 2 years ago
Harvest can't be called by non-whitelisted addresses
The fact that only a whitelisted address can call the harvest doesn't mitigate against frontrunning
Anyone can see the function in the mempool and frontrun it or sandwich the swaps
Recommend mitigating via flashbots / private transactions or by rolling an additional set of checks for slippage
Duplicate of #140
Handle
tensors
Vulnerability details
Impact
The minimum amount out on the implemented _harvest and _swap methods means that attackers can manipulate the price with flashloans/frontrun before calling _harvest to actually force the output to be small, pocketing the difference for themselves when they swap back.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/strategies/NativeStrategyCurve3Crv.sol#L108-L127
Only 1 wei is expected output from the _harvest and the _swap call inside it on line 120.
Recommended Mitigation Steps
The expected amount out should be carefully deduced. A common solution is to use a chainlink oracle.