Closed code423n4 closed 1 year ago
minhquanym marked the issue as duplicate of #158
dmvt marked the issue as unsatisfactory: Insufficient quality
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as satisfactory
dmvt marked the issue as unsatisfactory: Insufficient quality
dmvt marked the issue as duplicate of #245
Lines of code
https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/aave/AaveStrategy.sol#L193 https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/convex/ConvexTricryptoStrategy.sol#L207 https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/curve/TricryptoNativeStrategy.sol#L171
Vulnerability details
Impact
The strategy uses the current pool value to calculate it amount out which can always be manipulated by flashloans .Such swaps can be frontrunned making the strategy excute at bad price.
Proof of Concept
This only uses the current pool value to get amount out and can be frontRunned to make bad trades
Tools Used
manuel review
Recommended Mitigation Steps
Use trusted oracles or make miniAmount an input for it.
Assessed type
Uniswap