Due to the lack of slippage protection in the CurveTricryptoAdapter::primitiveOutputAmountand Curve2PoolAdapter::primitiveOutputAmount, user deposits and withdrawals are vulnerable to being sandwich attacked.
Proof of Concept
CurveTricryptoAdapter::primitiveOutputAmount and Curve2PoolAdapter::primitiveOutputAmount add liquidity and remove liquidity without any slippage protection allowing withdraws to be sandwiched and stolen.
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/Curve2PoolAdapter.sol#L162-L171 https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/CurveTricryptoAdapter.sol#L198-L221
Vulnerability details
Impact
Due to the lack of slippage protection in the
CurveTricryptoAdapter::primitiveOutputAmount
andCurve2PoolAdapter::primitiveOutputAmount
, user deposits and withdrawals are vulnerable to being sandwich attacked.Proof of Concept
CurveTricryptoAdapter::primitiveOutputAmount
andCurve2PoolAdapter::primitiveOutputAmount
add liquidity and remove liquidity without any slippage protection allowing withdraws to be sandwiched and stolen.In both instances, the third argument is hard coded to
zero
, which effectively bypasses any slippage protection.Tools Used
vscode
Recommended Mitigation Steps
Implement functionality that allows users to specify a minimum output amount.
Assessed type
MEV