tommyz7
commented
2 years ago Minimum amount is check here so there's no need to check in modules.
Closed code423n4 closed 2 years ago
alcueca
commented
2 years ago Dispute accepted
Handle
pauliax
Vulnerability details
Impact
A similar issue was submitted in the previous Slingshot contest and was assigned a severity of medium: https://ipfs.io/ipfs/bafybeicjla2h26q3wz4s344bsrtvhkxr3ypm44owvrzyorb2t6tcptlmem/C4%20Slingshot%20report.pdf
I see the same issue is also present in this codebase: If a finalAmountMin is chosen that does not closely reflect the received amount one would get at the market rate, this could lead to the trade being front-run and to fewer tokens than with a tighter slippage amount. The min amount returned is hardcoded to 1 for all the modules.
Recommended Mitigation Steps
Consider either using a sensible min amount or letting users set it via parameters.