jellegerbrandy
commented
1 year ago We have taken care that the slippage is minimal (by enforcing a minium amount of shares of 1000),
Closed lirona closed 1 year ago
jellegerbrandy
commented
1 year ago We have taken care that the slippage is minimal (by enforcing a minium amount of shares of 1000),
jellegerbrandy
commented
1 year ago addressed in #451
SEVERITY: Medium PATH: HATVault.sol:withdraw, redeem, deposit, mint REMEDIATION: add a parameter that allows the user to define the amount of maximal/minimal shares and assets for deposit/withdraw/redeem/mint calls respectively. These values can then be used to check for the slippage and protect the user from unexpected changes, as well as implement the appropriate functionality in the front-end for EOAs. Please refer to EIP-5143 (https://eips.ethereum.org/EIPS/eip-5143) for further details STATUS: DESCRIPTION: HATVault implements ERC4626 for vault mechanics, however the OpenZeppelin implementation does not have slippage protection by default. The deriving contract should implement slippage checks if it allows EOAs to interact (as stated in EIP-5143), which is the case for HATVault. As a result, the bug reporter can arrange a bounty claim call by frontrunning a vault withdrawal or backrunning a deposit call to maximise the profit.