The amount being LPd into Uniswap can get stolen trough MEV.
Proof of Concept
The reLP contract re-LPs a certain amount of the tokens, that enter after a bond gets bought. The issue arises due to there not being proper minimum liquidity amounts passed when calling addLiquidity() on a Uniswap V2 pool.
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L286-L295
Vulnerability details
Impact
The amount being LPd into Uniswap can get stolen trough MEV.
Proof of Concept
The
reLP
contract re-LPs a certain amount of the tokens, that enter after a bond gets bought. The issue arises due to there not being proper minimum liquidity amounts passed when callingaddLiquidity()
on a Uniswap V2 pool.Tools Used
Manual review
Recommended Mitigation Steps
Consider passing appropriate minimum liquidity amounts to
addLiquidity()
.Assessed type
Uniswap