The system provided getMintAmountOut and getRedeemAmountOut function while minting and redeeming Crdeit Tokens for collateral tokens. but there is no slipplage protection as the price or amount of token minted will be effected by PNL changes which will effect the price of Credit token.
Proof of Concept
following case would occur noramly.
1). The Price of credit token is 0.7 USDC and ratio is 1-0.7.
2). User call getMintAmountOut(100e6) and the contract return 142 of credit token to be minted out.
3). While the user Transaction is in mempool The System record Profit and creditMultipler got updated to Credit Token is 1-1 USDC.
4). When The user transaction got executed he will only receive 100e18 Credit token. this is not on what the users has agreed.
Tools Used
Manual Review.
Recommended Mitigation Steps
Add slippage protection and check if the amountOut=getMintAmountOut(amountIn) or amountOut = getRedeemAmountOut(amountIn) is less then that value just revert.
i.e :
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L138 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L107 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L124
Vulnerability details
Impact
The system provided
getMintAmountOut
andgetRedeemAmountOut
function while minting and redeeming Crdeit Tokens for collateral tokens. but there is no slipplage protection as the price or amount of token minted will be effected by PNL changes which will effect the price of Credit token.Proof of Concept
following case would occur noramly. 1). The Price of credit token is 0.7 USDC and ratio is 1-0.7. 2). User call
getMintAmountOut(100e6)
and the contract return 142 of credit token to be minted out. 3). While the user Transaction is in mempool The System record Profit and creditMultipler got updated to Credit Token is 1-1 USDC. 4). When The user transaction got executed he will only receive 100e18 Credit token. this is not on what the users has agreed.Tools Used
Manual Review.
Recommended Mitigation Steps
Add slippage protection and check if the
amountOut=getMintAmountOut(amountIn)
oramountOut = getRedeemAmountOut(amountIn)
is less then that value just revert. i.e :Assessed type
MEV