In the above example code, we set our token_BAL limit to 0, which means we are willing to accept 100% slippage on our trade. That is generally a very bad idea
It lacks slippage control when calling BALANCER_VAULT.swap, making it suffer from 100% slippage and front-running attack.
A good practice would be to user queryExit in BalancerHelpers to find the current amounts of tokens you would get for your BPT, and then account for some possible slippage.
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L257-L263 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L275
Vulnerability details
Impact
In balancer document:
It lacks slippage control when calling
BALANCER_VAULT.swap
, making it suffer from 100% slippage and front-running attack.Proof of Concept
The third parameter of
BALANCER_VAULT.swap
is 0:https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L249
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L275
And the
minAmountsOut
is empty:https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L257-L263
Tools Used
None
Recommended Mitigation Steps
Consider setting a
limit
value forBALANCER_VAULT.swap
andminAmountsOut
.minAmountsOut good practice: