Here a user sends nativeDeposit to the pool and the equivalent amount of foreignAsset is minted as a synth to be sent to the user. However the user can't specify the minimum amount of synth that they would accept. A frontrunner can then manipulate the reserves of the pool in order to make foreignAsset appear more valuable than it really is so the user receives synths which are worth much less than what nativeDeposit is worth. This is equivalent to a swap without a slippage limit.
Burning synths essentially runs the same process in behalf so manipulating the pool in the opposite direction will result in the user getting fewer of nativeAsset than they expect.
Note that the sponsor has stated that the "slip" mechanism prevents manipulation of the pool's reserves however this can easily be avoided by breaking a large trade into a number of smaller trades to minimise the additional slippage incurred.
Recommended Mitigation Steps
Add a argument for the minimum amount of synths to mint or nativeAsset to receive.
jack-the-pug
commented
2 years ago
Handle
TomFrenchBlockchain
Vulnerability details
Impact
LPs remaining in
VaderPoolend up paying all transfer fees for LPs which leave the pool.Proof of Concept
See
VaderPoolV2.mintSynth: https://github.com/code-423n4/2021-12-vader/blob/fd2787013608438beae361ce1bb6d9ffba466c45/contracts/dex-v2/pool/VaderPoolV2.sol#L153-L194Here a user sends
nativeDepositto the pool and the equivalent amount offoreignAssetis minted as a synth to be sent to the user. However the user can't specify the minimum amount of synth that they would accept. A frontrunner can then manipulate the reserves of the pool in order to makeforeignAssetappear more valuable than it really is so the user receives synths which are worth much less than whatnativeDepositis worth. This is equivalent to a swap without a slippage limit.Burning synths essentially runs the same process in behalf so manipulating the pool in the opposite direction will result in the user getting fewer of
nativeAssetthan they expect.Note that the sponsor has stated that the "slip" mechanism prevents manipulation of the pool's reserves however this can easily be avoided by breaking a large trade into a number of smaller trades to minimise the additional slippage incurred.
Recommended Mitigation Steps
Add a argument for the minimum amount of synths to mint or nativeAsset to receive.