Closed github-actions[bot] closed 1 year ago
372: # _withdraw_underlying_from_alchemix reverts on < _min_weth_out
373: amount_withdrawn: uint256 = self._withdraw_underlying_from_alchemix(amount_to_withdraw, token_owner, _min_weth_out)
liquidate
reverts on line 373 if _min_weth_out
is not met.
0xSmartContract
medium
liquidate()
function is vulnerable to sandwich attackSummary
In
liquidate()
function,IAlchemist(self.alchemist).liquidate
external call is made with the following code, but since_min_amount_out
in this call is fixed number1
, it is vulnerable to sandwich attackVulnerability Detail
Function
liquidate()
is called in every liquidate in Vault contract. Liquidates the underlying debt of position[_token_id] by burning a corresponding amount of shares. Withdraws remaining value of shares as WETH to token_owner. Reverts if owner would receive less than _min_weth_out.However
amount_shares_liquidated:
always has the value 1 when called byliquidate
function.The
liquidate()
method has the_min_weth_out
parameter, which basically serves as the slippage tolerance parameter. The problem is that everywhere in the code whereamount_shares_liquidated
is called, the value of_min_amount_out
is just 1 wei, which basically means all swaps executed in the compound method can be sandwiched and the user can lose a huge amount of value due to slippage.Impact
Vault.vy#L320-L352
Code Snippet
Tool used
Manual Review
Recommendation
Add a setter to dynamically configure slippage tolerance amounts on-chain, or always make sure all transactions go through a private/dark mempool