search

sherlock-audit / 2022-10-mover-judging

1 stars 0 forks source link

GalloDaSballo - M-04 Hardcoded Slippage allows front-running for Synapse Bridge #103

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

GalloDaSballo

medium

M-04 Hardcoded Slippage allows front-running for Synapse Bridge

Summary

While an hardcoded slippage is better than no-slippage, understand that 5% slippage is pretty lax and is a pretty juicy MEV opportunity.

A tighter slippage, or rather a check to enforce that _data contains slippage would allow for customizability while giving stronger security guarantees.

Vulnerability Detail

Because the slippage is hardcoded at 5%, MEV searches will have a clear arbitrage.

Impact

Code Snippet

https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L356-L369

Tool used

Manual Review

Recommendation

Consider hardcoding a tighter slippage (1%, especially on polygon) Or allow the caller to specify a slippage within range and default to 5% in case they do not

Duplicate of #53

McMannaman commented 2 years ago

this is more duplicate of https://github.com/sherlock-audit/2022-10-mover-judging/issues/53 than of 124