GalloDaSballo
commented
2 years ago Dup of #155
note that yDAI is Single-Sided-Exposure not the same risk
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Dup of #155
note that yDAI is Single-Sided-Exposure not the same risk
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/b6abb069431518962e1e0b3e516daa46ae3bdd9b/contracts/MyStrategy.sol#L219
Vulnerability details
Impact
Function
_harvest()does multiple swaps from auraBAL -> BAL/ETH BPT -> WETH -> AURA using BalancerVault. But it doesn’t useminAmountsOutor have a check for mimimum return amount. It makes this function vulnerable to sandwich attack.An attacker (which can be a malicious keeper) can front-run swap in BalancerVault before
harvest()to make a profit.Proof of Concept
Please refer to yDai Incident to check the severity of a harvest function without slippage control.
Please refer to Mushrooms-finance-theft to check how likely this kind of attack might happen.
Recommended Mitigation Steps
Should add a min return param or check the slippage.