Closed code423n4 closed 1 year ago
minhquanym marked the issue as duplicate of #245
dmvt marked the issue as duplicate of #158
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as nullified
dmvt marked the issue as duplicate of #245
Lines of code
https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/curve/TricryptoNativeStrategy.sol#L231-L233
Vulnerability details
Impact
TricryptoNativeStrategy
withdraw
is prone to MEV sandwich attack (bad slippage control) --> users who try to withdraw from the strategy can get MEV'd and get 0 value out of the withdrawal.Proof of Concept
_withdraw
function implements bad slippage control from the current pool state viacalcLpToWeth
(which can be manipulated). So, the slippage control check will always pass.Specifically, the attacker can flashloan and become a majority of the underlying pool (to reap most of the profits) and also make WETH really expensive in the underlying pool. So, the
calcLpToWeth
will only return minimal weth amount. So, the user's withdrawal's tx will only get those minimal WETH amount out (at a loss). And the loss will get distributed to the current underlying pool's LPs, which the attack was the majority, so the attacker can reap most of the profits there.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
MEV