search

code-423n4 / 2024-05-bakerfi-findings

4 stars 4 forks source link

No slippage protection during the uniswap swap #26

Closed c4-bot-5 closed 5 months ago

c4-bot-5 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/hooks/UseSwapper.sol#L72

Vulnerability details

Proof of Concept

UseSwapper hook provides _swap function that allows exactIn and exactOut swaps in uniswap. When exactIn type is provided, then function set 0 as amountOutMinimum, which opens a window for sandwiching transaction to make profit.

ISwapHandler.SwapType.EXACT_INPUT type is used by protocol inside _convertFromWETH and _convertToWETH functions. In both cases it's possible to steal some amount of funds.

This is how i see typical attack. User wants to withdraw his shares, so flashloan is taken to repay some debt, then collateral is withdrawn to swap it to weth. Attacker will sandwich the call to steal some amount from user, but will leave enough funds to cover flashloanloan + fees, so call doesn't revert.

Impact

User's funds can be stolen.

Tools Used

VsCode

Recommended Mitigation Steps

You should use slippage protection and check if enough funds were returned by swap. You can calculate min amount with oracle prices and deduct some 1% slippage.

Assessed type

Error

c4-judge commented 5 months ago

0xleastwood marked the issue as duplicate of #32

c4-judge commented 5 months ago

0xleastwood marked the issue as satisfactory