Closed code423n4 closed 2 years ago
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L257-L263
There is no slippage control when calling exitPool in _harvest function, which expose strategy to sandwich attack.
IBalancerVault.ExitPoolRequest memory exitPoolRequest = IBalancerVault.ExitPoolRequest({ assets: assets, minAmountsOut: new uint256[](2), userData: abi.encode(ExitKind.EXACT_BPT_IN_FOR_ONE_TOKEN_OUT, balEthBptEarned, BPT_WETH_INDEX), toInternalBalance: false }); BALANCER_VAULT.exitPool(BAL_ETH_POOL_ID, address(this), payable(address(this)), exitPoolRequest); ... function _processExitPoolTransfers( address payable recipient, PoolBalanceChange memory change, bytes32[] memory balances, uint256[] memory amountsOut, uint256[] memory dueProtocolFeeAmounts ) private returns (bytes32[] memory finalBalances) { finalBalances = new bytes32[](balances.length); for (uint256 i = 0; i < change.assets.length; ++i) { uint256 amountOut = amountsOut[i]; _require(amountOut >= change.limits[i], Errors.EXIT_BELOW_MIN);
None
Use an oracle to get the limit
Dup of #5
GalloDaSballo
commented
2 years ago GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L257-L263
Vulnerability details
Impact
There is no slippage control when calling exitPool in _harvest function, which expose strategy to sandwich attack.
Proof of Concept
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L257-L263
Tools Used
None
Recommended Mitigation Steps
Use an oracle to get the limit