Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/ClearingHouse.sol#L163-L186 https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/AMM.sol#L209-L282
The _liquidateMaker() function makes a call to AMM.removeLiquidity() but does not provide suitable values for minQuote and minBase. As per the @todo, this call is prone to sandwich attacks, resulting in potentially fewer tokens for the maker.
_liquidateMaker()
AMM.removeLiquidity()
minQuote
minBase
@todo
maker
Manual code review.
Consider adding proper slippage checks.
Duplicate of #113
atvanguard
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/ClearingHouse.sol#L163-L186 https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/AMM.sol#L209-L282
Vulnerability details
Impact
The
_liquidateMaker()function makes a call toAMM.removeLiquidity()but does not provide suitable values forminQuoteandminBase. As per the@todo, this call is prone to sandwich attacks, resulting in potentially fewer tokens for themaker.Proof of Concept
Tools Used
Manual code review.
Recommended Mitigation Steps
Consider adding proper slippage checks.