search

code-423n4 / 2022-06-nibbl-findings

1 stars 0 forks source link

sell function does not have minimum threshold on the _minAmtOut #318

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L362

Vulnerability details

Impact

During the code review, It has been observed _saleReturn value is not resistant to slippage on the minAmtOut. For the protecting value from slippage, the protocol should ensure that minAmtOut is different than zero.

Proof of Concept

https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L362

Tools Used

Recommended Mitigation Steps

Check minAmtOut is different than zero.

GalloDaSballo commented 2 years ago

See https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVault.sol#L387

HardlyDifficult commented 2 years ago

For the protecting value from slippage, the protocol should ensure that minAmtOut is different than zero.

If this was done as recommended, the same concern could apply when minAmtOut is set to 1. It's not clear that requiring > 0 offers any additional guarantees - except maybe trying to communicate to users that this value should not be ignored. However it seems that's a responsibility for the code comments and frontend.