c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as low quality report
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as low quality report
GalloDaSballo
commented
1 year ago Maybe as QA
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/EthRouter.sol#L45
Vulnerability details
Impact
There is no implementation of a router for PrivatePools with an ERC20 base token in the repository. PrivatePool is implemented without protection against slippage, which is assumed to be the responsibility of the router. Such a router exists for pools with ETH (where
baseToken=address(0)), but is missing for regular ERC-20 tokens. If a trader interacts with PrivatePool directly, they will inevitably be frontrun and lose money due to slippage.Recommended Mitigation Steps
It is recommended to implement a router for pools with ERC-20 tokens.