Single swaps of _harvest contains no slippage or deadline, which makes it vulnerable to sandwich attacks, MEV exploits and may lead to significant loss of yield.
Proof of Concept
When using BALANCER_VAULT.swaphere and here, there is no slippage protection. Therefore a call to _harvest generating swaps could be exploited for sandwich attacks or other MEV exploits such as JIT.
The scenario would be:
A authorized actor calls harvest, leading to a swap of say x auraBAL to BAL/ETH BPT and then y WETH to BAL.
The easiest mitigation would be to pass a minimum amount of AURA that the swap is supposed to get in harvest. It should not add security issues as callers of harvest are trusted.
An other solution would be to do like here to use Cowswap for example, or any other aggregator.
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L275
Vulnerability details
Impact
Single swaps of
_harvest
contains no slippage or deadline, which makes it vulnerable to sandwich attacks, MEV exploits and may lead to significant loss of yield.Proof of Concept
When using
BALANCER_VAULT.swap
here and here, there is no slippage protection. Therefore a call to_harvest
generating swaps could be exploited for sandwich attacks or other MEV exploits such as JIT.The scenario would be: A authorized actor calls
harvest
, leading to a swap of say xauraBAL
toBAL/ETH BPT
and then yWETH
toBAL
.Then while the transaction is in the mempool, it is exploited for example like in https://medium.com/coinmonks/defi-sandwich-attack-explain-776f6f43b2fd
Recommended Mitigation Steps
The easiest mitigation would be to pass a minimum amount of
AURA
that the swap is supposed to get inharvest
. It should not add security issues as callers ofharvest
are trusted.An other solution would be to do like here to use Cowswap for example, or any other aggregator.