This is a problem as depending on the swapped tokens and the corresponding reserves in the curve pool, it would pretty likely (50% of the time) return lower amount then amountOutMin. This will cause the depositInProtocol and withdrawFromProtocol to revert unexpectedly.
This is also true for Swap.swapTokensMulti.
Impact
Stablecoin swaps can revert in Vault.depositInProtocol and Vault.withdrawFromProtocol causing a temporary DoS for the users.
gogo
medium
Incorrect slippage calculation in Swap.swapStableCoins
Summary
The code assumes that all stablecoins in curve pools are interchangeable for one another in a 1:1 ratio (minus pool fee).
Vulnerability Detail
Currently the amountOutMin is calculated only taking into account the input amount and the scale of the two tokens (+ the fee):
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L42-L43
This is a problem as depending on the swapped tokens and the corresponding reserves in the curve pool, it would pretty likely (50% of the time) return lower amount then amountOutMin. This will cause the depositInProtocol and withdrawFromProtocol to revert unexpectedly.
This is also true for Swap.swapTokensMulti.
Impact
Stablecoin swaps can revert in Vault.depositInProtocol and Vault.withdrawFromProtocol causing a temporary DoS for the users.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/libraries/Swap.sol#L42-L43
Tool used
Manual Review
Recommendation
Calculate slippage off-chain or reduce it.
Duplicate of #135