search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

0x52 - AuraSpell#closePositionFarm requires users to swap all reward tokens through same router #122

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

0x52

medium

AuraSpell#closePositionFarm requires users to swap all reward tokens through same router

Summary

AuraSpell#closePositionFarm requires users to swap all reward tokens through same router. This is problematic as it is very unlikely that a UniswapV2 router will have good liquidity sources for all tokens and will result in users experiencing forced losses to their reward token.

Vulnerability Detail

AuraSpell.sol#L193-L203 

    for (uint256 i = 0; i < rewardTokens.length; i++) {
        uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
        _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
        swapRouter.swapExactTokensForTokens(
            rewards,
            0,
            swapPath[i],
            address(this),
            type(uint256).max
        );
    }

All tokens are forcibly swapped through a single router.

Impact

Users will be forced to swap through a router even if it doesn't have good liquidity for all tokens

Code Snippet

AuraSpell.sol#L149-L224

Tool used

Manual Review

Recommendation

Allow users to use an aggregator like paraswap or multiple routers instead of only one single UniswapV2 router.

Gornutz commented 1 year ago

https://github.com/Blueberryfi/blueberry-core/commit/f0584ec9c449d58693fb11b1c511fb51ce898517

IAm0x52 commented 1 year ago

ConvexSpell needs similar fix