search

code-423n4 / 2023-11-shellprotocol-findings

7 stars 7 forks source link

Lack of Slippage Protection in `CurveTricryptoAdapter::primitiveOutputAmount` and `Curve2PoolAdapter::primitiveOutputAmount` #290

Closed c4-bot-6 closed 9 months ago

c4-bot-6 commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/Curve2PoolAdapter.sol#L162-L171 https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L198-L221

Vulnerability details

Impact

Due to the lack of slippage protection in the CurveTricryptoAdapter::primitiveOutputAmountand Curve2PoolAdapter::primitiveOutputAmount, user deposits and withdrawals are vulnerable to being sandwich attacked.

Proof of Concept

CurveTricryptoAdapter::primitiveOutputAmount and Curve2PoolAdapter::primitiveOutputAmount add liquidity and remove liquidity without any slippage protection allowing withdraws to be sandwiched and stolen.

/// file: Curve2PoolAdapter::primitiveOutputAmount
else if (action == ComputeType.Deposit) {
    uint256[2] memory inputAmounts;
    inputAmounts[uint256(int256(indexOfInputAmount))] = rawInputAmount;
    rawOutputAmount = ICurve2Pool(primitive).add_liquidity(inputAmounts, 0);
} else {
    rawOutputAmount = ICurve2Pool(primitive).remove_liquidity_one_coin(rawInputAmount, indexOfOutputAmount, 0);
}
/// file: CurveTricryptoAdapter::primitiveOutputAmount
} else if (action == ComputeType.Deposit) {
    ...
    ICurveTricrypto(primitive).add_liquidity(inputAmounts, 0);
} else {
    if (outputToken == zToken) {
        ...
        ICurveTricrypto(primitive).remove_liquidity_one_coin(rawInputAmount, indexOfOutputAmount, 0);
        ...
    } else {
        ICurveTricrypto(primitive).remove_liquidity_one_coin(rawInputAmount, indexOfOutputAmount, 0);
    }
}

In both instances, the third argument is hard coded to zero, which effectively bypasses any slippage protection.

Tools Used

vscode

Recommended Mitigation Steps

Implement functionality that allows users to specify a minimum output amount.

Assessed type

MEV

c4-pre-sort commented 9 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 9 months ago

raymondfam marked the issue as duplicate of #87

c4-judge commented 9 months ago

0xA5DF marked the issue as unsatisfactory: Invalid