Open c4-bot-1 opened 8 months ago
alex-ppg marked the issue as primary issue
alex-ppg marked the issue as sufficient quality report
mariapiamo (sponsor) confirmed
kupermind marked the issue as disagree with severity
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/lockbox-solana/solidity/liquidity_lockbox.sol#L277
Vulnerability details
Impact
Vanilla example of missing slippage protection.
Proof of Concept
As any AMM, Orca implements slippage protections by letting the caller specify the minimum amount of input and output tokens to be used in a given operation, so that if the transaction outputs a value less than the expected ones, it will revert preventing users from incurring in unacceptable losses.
In our situation, we are interested in the
decreaseLiquidity
handler:decrease_liquidity, lines 18 and 19
The code snippet above calculates the delta variations of the two tokens amount in the given pool and reverts the whole transaction if the calculated amounts are less than the specified ones. However, if we go to
liquidity_lockbox, function withdraw
we see that
token_min_a
andtoken_min_b
are hard-coded to $0$, meaning that the liquidity decrease operation will accept ANY amount in exchange, even $0$, leading to a loss of funds as MEV exists in Solana too (see here). The mathematical reason is that$$x >= 0, \forall x \in [0, 2⁶⁴-1]$$
so the errors
won't be triggered as
meaning there is no slippage protection at all if called with
token_min_a = token_min_b = 0
(as it's the case withliquidity_lockbock::withdraw
).Recommended Mitigation Steps
Let users provide the minimum amount of tokens they are willing to use as function arguments and pass them straight to
decreaseLiquidity
like:Assessed type
Other