Closed code423n4 closed 2 years ago
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249
There is no slippage control on _harvest, which expose strategy to sandwich attack.
uint256 balEthBptEarned = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max); ... harvested[0].amount = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max); ... function swap( SingleSwap memory singleSwap, FundManagement memory funds, uint256 limit, uint256 deadline ){ ... _require(singleSwap.kind == SwapKind.GIVEN_IN ? amountOut >= limit : amountIn <= limit, Errors.SWAP_LIMIT);
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L275
None
Use an oracle to get the limit
Dup of #5
GalloDaSballo
commented
2 years ago GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249
Vulnerability details
Impact
There is no slippage control on _harvest, which expose strategy to sandwich attack.
Proof of Concept
https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L275
Tools Used
None
Recommended Mitigation Steps
Use an oracle to get the limit