Closed code423n4 closed 1 year ago
trust1995 marked the issue as duplicate of #177
trust1995 marked the issue as satisfactory
trust1995 changed the severity to 3 (High Risk)
trust1995 changed the severity to 2 (Med Risk)
trust1995 changed the severity to 3 (High Risk)
trust1995 changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/talos/base/TalosBaseStrategy.sol#L353-L361
Vulnerability details
Impact
Undesired swaps / mints / withdrawals will occur.
Proof of Concept
Only when redeeming in TalosBaseStrategy.sol is the slippage set as
amount0Min
andamount1Min
:For the rest of the functions like
init
,_withdrawAll
,deposit
, bothamount0Min
andamount1Min
is set to zero.Whereas the protocol refunds the unused amounts back to the user, there is no slippage protection when engaging in Uniswap v3 functions like mint, increase liquidity and decrease liquidity.
In Uniswapv3 Docs, it is mentioned that:
For mint, the issue with 0 slippage is that a function calling mint with no slippage protection would be vulnerable to a frontrunning attack designed to execute the mint call at an inaccurate price.
Reference: https://docs.uniswap.org/contracts/v3/guides/providing-liquidity/mint-a-position
Tools Used
VSCode
Recommended Mitigation Steps
Having the input parameters
amount0Min
andamount1Min
instead of settingamount0Min: 0
andamount1Min: 0
will be good for slippage protection.Assessed type
Uniswap