Closed sherlock-admin closed 1 year ago
immeas
medium
Vault::claimTokens
Vault::claimTokens trades with uniswap at any price. This can be abused by others to do trades stealing value from vault stakers and game players.
Uniswap quoter uses 0 as sqrtPriceLimitX96 which lets Vault trade at any price: https://github.com/Uniswap/v3-periphery/blob/6cce88e63e176af1ddb6cc56e029110289622317/contracts/lens/Quoter.sol#L113
sqrtPriceLimitX96
Vault
Since Vault::claimTokens is public and can be called by anyone this can be abused by traders to wrap token claims in sandwich trades.
Claiming reward tokens from protocols can be stolen by wrapping them in sandwich trades.
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L71-L94
Manual Review
Use an oracle with twap (chainlink/uniswap) and use the price with a configured buffer and use as amountOutMinimum.
amountOutMinimum
Duplicate of #64
immeas
medium
Vault::claimTokens
uniswap swaps can be abusedSummary
Vault::claimTokens
trades with uniswap at any price. This can be abused by others to do trades stealing value from vault stakers and game players.Vulnerability Detail
Uniswap quoter uses 0 as
sqrtPriceLimitX96
which letsVault
trade at any price: https://github.com/Uniswap/v3-periphery/blob/6cce88e63e176af1ddb6cc56e029110289622317/contracts/lens/Quoter.sol#L113Since
Vault::claimTokens
is public and can be called by anyone this can be abused by traders to wrap token claims in sandwich trades.Impact
Claiming reward tokens from protocols can be stolen by wrapping them in sandwich trades.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L71-L94
Tool used
Manual Review
Recommendation
Use an oracle with twap (chainlink/uniswap) and use the price with a configured buffer and use as
amountOutMinimum
.Duplicate of #64