code423n4 commented 2 years ago

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L275

Vulnerability details

The harvest function executes swaps without minimum amount out specified.

Impact

MEV searchers can sandwich harvest calls to an unlimited degree, thereby making Badger get less funds than it deserves.

Proof of Concept

The _harvest function executes swaps without specifiying minAmountOut:

            uint256 balEthBptEarned = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);

The third parameter, 0 is the minAmountOut - see in Balancer documentation.

And similarly here:

            harvested[0].amount = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);

Recommended Mitigation Steps

Before executing the harvest transaction, query balancer for the expected amount out - see here for Balancer guide on how to do so. Then, pass this amount to the harvest function, and check that the slippage is whatever percentage is acceptable for you.

GalloDaSballo commented 2 years ago

We use flashbots

KenzoAgada commented 2 years ago

Duplicate of #155

code-423n4 / 2022-06-badger-findings

No slippage control on harvest #64

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps