code423n4 commented 2 years ago

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L249 https://dev.balancer.fi/resources/swaps/single-swap#swap-function

Vulnerability details

Impact

Due to a bug with the slippage configuration it is possible to make a call to the harvest method do a swap with 0 BALETH_BPT tokens.

Proof of Concept

According to the balancer documentation the limit argument represents:

limit: The meaning of limit depends on the value of singleSwap.kind GIVEN_IN: The minimum amount of tokens we would accept to receive from the swap.

So if an attacker detects the harvest transaction in the memory pool, and configures two transactions to perform a sadwitch attack, the contract will perform a swap with an expected minimum of 0 tokens.

Reference:

https://dev.balancer.fi/resources/swaps/single-swap#swap-function

Affected source code:

MyStrategy.sol#L249

Recommended Mitigation Steps

Use a percentage for the slippage

GalloDaSballo commented 2 years ago

Dup of #6

0x1f8b commented 2 years ago

Dup of https://github.com/code-423n4/2022-06-badger-findings/issues/6

Is not related to #6 @GalloDaSballo

KenzoAgada commented 2 years ago

Duplicate of #155

code-423n4 / 2022-06-badger-findings

Sandwitch attack over `harvest` function #11

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps