function deposit(uint256[4] calldata _amounts) public whenNotPaused {
// ...
}
Given that IbbtcVaultZap.sol#deposit() will add liquidity to the curve pool, and the amount out differs when the price of tokens in the pool changes.
However, the current implementation provides no parameter for slippage control, making them vulnerable to front-run attacks. Especially for transactions with rather large volumes.
Handle
WatchPug
Vulnerability details
https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/6f700995129182fec81b772f97abab9977b46026/contracts/IbbtcVaultZap.sol#L144-L180
Given that
IbbtcVaultZap.sol#deposit()
will add liquidity to the curve pool, and the amount out differs when the price of tokens in the pool changes.However, the current implementation provides no parameter for slippage control, making them vulnerable to front-run attacks. Especially for transactions with rather large volumes.
Recommendation
Consider adding a
minAmountOut
parameter.