search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

0x52 - Users are forced to swap all reward tokens with no slippage protection #121

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

0x52

high

Users are forced to swap all reward tokens with no slippage protection

Summary

AuraSpell forces users to swap their reward tokens to debt token but doesn't allow them to specify any slippage values.

Vulnerability Detail

AuraSpell.sol#L193-L203 

    for (uint256 i = 0; i < rewardTokens.length; i++) {
        uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
        _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
        swapRouter.swapExactTokensForTokens(
            rewards,
            0,
            swapPath[i],
            address(this),
            type(uint256).max
        );
    }

Above all reward tokens are swapped and always use 0 for min out meaning that deposits will be sandwiched and stolen.

Impact

All reward tokens can be sandwiched and stolen

Code Snippet

AuraSpell.sol#L149-L224

Tool used

Manual Review

Recommendation

Allow user to specify slippage parameters for all reward tokens

Gornutz commented 1 year ago

https://github.com/Blueberryfi/blueberry-core/commit/2d4e6173f472df8d60498f073d4da0952d7cc4d3

IAm0x52 commented 1 year ago

Needs a similar fix for ConvexSpell