QA Report

[code423n4]

Lines of code

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L621-L627

Vulnerability details

Impact

There is no slippage control on _swap of UniV3LpVault, which expose strategy to sandwich attack.

    function _swap(bytes memory swapPath, uint256 amount) internal returns (uint256 amountOut) {
        IERC20Detailed(swapPath.toAddress(0)).approve(address(swapRouter), amount);
        amountOut = swapRouter.exactInput(
            ISwapRouter.ExactInputParams(swapPath, address(this), block.timestamp + 200, amount, 0)
        );
        IERC20Detailed(swapPath.toAddress(0)).approve(address(swapRouter), 0);
    }

https://docs.uniswap.org/protocol/reference/periphery/interfaces/ISwapRouter#exactinputparams

Proof of Concept

https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L621-L627 https://docs.uniswap.org/protocol/reference/periphery/interfaces/ISwapRouter#exactinputparams

Tools Used

None

Recommended Mitigation Steps

Replace 0 in the parameter of _swap with amountOutMinimum.

[0xdramaone]

Duplicate of #42

[JeeberC4]

Generating QA Report as warden did not submit one and judge downgraded issue. Preserving original title: No slippage control on _swap of UniV3LpVault