Closed c4-submissions closed 9 months ago
0xleastwood marked the issue as duplicate of #39
@0xleastwood I dont think this is a dupe of 39
this ticket is talking about applyRewards(). 39 is talking about other functions
@0xleastwood I dont think this is a dupe of 39
this ticket is talking about applyRewards(). 39 is talking about other functions
It's addressing the same function, the buyCvx()
. Where the call is originating from is not important.
My plan to fix this and #24 is pass _minOut to afEth.depositRewards() (in an upcoming PR).
Together with the fix for #31 (https://github.com/asymmetryfinance/afeth/pull/169) I think this issue will then be fixed
Giving partial credit to this because it does not consider the case for withdraw()
/sellCvx()
0xleastwood marked the issue as partial-50
0xleastwood marked the issue as duplicate of #23
I mentioned the case for withdraw()
/sellCvx()
in #67 (QA) under L-07. I considered those of low severity since the user is not supposed to interact directly with VotiumStrategy, which implies that no security guarantees are given and thus none are violated. The case of buyCvx()
is more severe because it involves a lack of slippage protection in AfEth. But even here the issue is not in buyCvx()
itself. As @elmutt correctly points out, the focal point of the issue is applyRewards()
, which is where the _minOut
parameter must be supplied.
The main issue #23 doesn't even mention the impact on AfEth, but rather the same warden reported this in #24.
My plan to fix this and #24 is pass _minOut to afEth.depositRewards() (in an upcoming PR).
Together with the fix for #31 (asymmetryfinance/afeth#169) I think this issue will then be fixed
https://github.com/asymmetryfinance/afeth/pull/176 https://github.com/asymmetryfinance/afeth/pull/178
Noted, restoring full credit to account for the added context outlined in the warden's QA report #67.
0xleastwood marked the issue as full credit
0xleastwood marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/strategies/votium/VotiumStrategyCore.sol#L239 https://github.com/code-423n4/2023-09-asymmetry/blob/6b4867491350f8327d0ac4f496f263642cf3c1be/contracts/strategies/votium/VotiumStrategyCore.sol#L272
Vulnerability details
Impact
Rewards deposit is not slippage protected and susceptible to MEV-attacks.
Proof of Concept
VotiumCoreStrategy.buyCvx()
is not slippage protected, as even acknowledged by the comment inThis is handled at the afEth level only for deposits (when it is called via
VotiumStrategy.deposit()
byAfEth.deposit()
which has a_minout
), but NOT for rewards deposits.Rewards are initiated by
VotiumStrategyCore.applyRewards()
which callsVotiumStrategyCore.depositRewards()
either directly or viaAfEth.depositRewards()
.VotiumStrategyCore.depositRewards()
thenbuyCvx()
. None of these functions has a_minout
or similar for slippage protection (it is sufficient to note thatapplyRewards()
doesn't have such a parameter).Recommended Mitigation Steps
Add a
if (ethReceived < _minout) revert BelowMinOut()
slippage protection inVotiumStrategyCore.applyRewards()
.Assessed type
MEV