search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

CvxCrvRewardsLocker implements a swap without a slippage check that can result in a loss of funds through MEV #161

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L247-L252

Vulnerability details

Impact

The CvxCrvRewardsLocker contract swaps tokens through the CRV cvxCRV pool. But, it doesn't use any slippage checks. The swap is at risk of being frontrun / sandwiched which will result in a loss of funds.

Since MEV is very prominent I think the chance of that happening is pretty high.

Proof of Concept

Here's the swap: https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L247-L252

Tools Used

none

Recommended Mitigation Steps

Use a proper value for minOut instead of 0.

gzeoneth commented 2 years ago

According to C4 Judging criteria

Unless there is something uniquely novel created by combining vectors, most submissions regarding vulnerabilities that are inherent to a particular system or the Ethereum network as a whole should be considered QA. Examples of such vulnerabilities include front running, sandwich attacks, and MEV.

However since there is a configurable minOut that is deliberately set to 0, this seems to be a valid issue. I am judging this as Med Risk.