// 4. Remove liquidity
int128 tokenIndex;
for (uint256 i = 0; i < tokens.length; i++) {
if (tokens[i] == pos.debtToken) {
tokenIndex = int128(uint128(i));
break;
}
}
ICurvePool(pool).remove_liquidity_one_coin(
amountPosRemove,
int128(tokenIndex),
0
);
}
The SPELL will remove the liquidity from Curve Pool (to pay back the borrowed amount to Compound ) with a 0 value for the _min_amount (Minimum amount of the coin to receive)
so the slippage/minimum amount of tokens to be received is set to a zero value. Thus, the Curve Pool will continue to redeem the pool tokens even if the trade incurs significant slippage
Impact
the SPELL could receive leas tokens in return, leading the user to losses for the rewards.
Code Snippet
Tool used
Manual Review
Recommendation
The proper way of computing the minimum amount of tokens to receive from a single-side trade (remove_liquidity_one_coin) is to call the Curve Pool's calc_withdraw_one_coin function off-chain to calculate the amount received when withdrawing a single LP Token, and then apply an acceptable discount.
(by: xiaoming90)
Ch_301
high
missing slippage protection
Summary
Vulnerability Detail
On this part of ConvexSpell.closePositionFarm()
The SPELL will remove the liquidity from Curve Pool (to pay back the borrowed amount to Compound ) with a 0 value for the _min_amount (Minimum amount of the coin to receive)
so the slippage/minimum amount of tokens to be received is set to a zero value. Thus, the Curve Pool will continue to redeem the pool tokens even if the trade incurs significant slippage
Impact
Code Snippet
Tool used
Manual Review
Recommendation
The proper way of computing the minimum amount of tokens to receive from a single-side trade (remove_liquidity_one_coin) is to call the Curve Pool's calc_withdraw_one_coin function off-chain to calculate the amount received when withdrawing a single LP Token, and then apply an acceptable discount. (by: xiaoming90)
Duplicate of #124