search

code-423n4 / 2021-11-vader-findings

0 stars 0 forks source link

Unused slippage params #253

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

pauliax

Vulnerability details

Impact

Unused slippage params. function addLiquidity in VaderRouter (both V1 and V2) do not use slippage parameters:

 uint256, // amountAMin = unused
 uint256, // amountBMin = unused

making it susceptible to sandwich attacks / MEV. For a more detailed explanation, see: https://github.com/code-423n4/2021-09-bvecvx-findings/issues/57

Recommended Mitigation Steps

Consider paying some attention to the slippage to reduce possible manipulation attacks from mempool snipers.

SamSteinGG commented 3 years ago

Slippage checks are impossible in the Thorchain CLP model.

alcueca commented 2 years ago

Taking as main over #1 as it is a more general issue, but refer to #1 for a more detailed description and justification for the severity rating.