search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

No slippage protection on buy and sell causes sandwich attacks #328

Closed c4-bot-8 closed 10 months ago

c4-bot-8 commented 10 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L211 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L364 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L377 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L404 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L282 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L504

Vulnerability details

Impact

The Curves contract lets users buy and sell Curves tokens. The price of the tokens is proportional to the existing supply at the time of purchase or sale.

The issue is that the methods that facilitate buying and selling do not protect against slippage and frontrunning. The user can only provide the token and amount that should be purchased or sold as parameter. A slippage-limiting parameter cannot be passed.

This enables MEV bots or malicious actors to frontrun buys and sells by sandwiching user transactions, which can lead to significant losses for the user.

The affected methods are:

Proof of Concept

https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L211 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L364 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L377 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L404 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L282 https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/Curves.sol#L504

Tools Used

None

Recommended Mitigation Steps

Each of the methods mentioned above should be equipped with a slippage limiting parameter, e.g. maxAmountIn for buy and minAmountOut for sells, that reverts the transaction in case of too high slippage.

Assessed type

MEV

c4-pre-sort commented 10 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #13

c4-judge commented 9 months ago

alcueca marked the issue as unsatisfactory: Invalid

c4-judge commented 9 months ago

alcueca marked the issue as unsatisfactory: Invalid

c4-judge commented 9 months ago

alcueca marked the issue as unsatisfactory: Invalid