search

code-423n4 / 2022-01-notional-findings

1 stars 3 forks source link

`sNOTE.sol#_mintFromAssets()` Lack of slippage control #181

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

ttps://github.com/code-423n4/2022-01-notional/blob/d171cad9e86e0d02e0909eb66d4c24ab6ea6b982/contracts/sNOTE.sol#L195-L209

BALANCER_VAULT.joinPool{value: msgValue}(
    NOTE_ETH_POOL_ID,
    address(this),
    address(this), // sNOTE will receive the BPT
    IVault.JoinPoolRequest(
        assets,
        maxAmountsIn,
        abi.encode(
            IVault.JoinKind.EXACT_TOKENS_IN_FOR_BPT_OUT,
            maxAmountsIn,
            0 // Accept however much BPT the pool will give us
        ),
        false // Don't use internal balances
    )
);

The current implementation of mintFromNOTE() and mintFromETH() and mintFromWETH() (all are using _mintFromAssets() with minimumBPT hardcoded to 0) provides no parameter for slippage control, making it vulnerable to front-run attacks.

Recommendation

Consider adding a minAmountOut parameter for these functions.

pauliax commented 2 years ago

Great find, slippage should be configurable and not hardcoded to 0.