search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

ctf_sec - Missing slippage control in CurveSpell swap #144

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ctf_sec

high

Missing slippage control in CurveSpell swap

Summary

Missing slippage control in CurveSpell swap

Vulnerability Detail

When closePositionFarm in CurveSpell

// 1. Take out collateral - Burn wrapped tokens, receive crv lp tokens and harvest CRV
bank.takeCollateral(param.amountPosRemove);
wCurveGauge.burn(pos.collId, param.amountPosRemove);

{
    // 2. Swap rewards tokens to debt token
    uint256 rewards = _doCutRewardsFee(CRV);
    _ensureApprove(CRV, address(swapRouter), rewards);
    swapRouter.swapExactTokensForTokens(
        rewards,
        0,
        swapPath,
        address(this),
        type(uint256).max
    );
}

note the function call on swapRouter

swapRouter.swapExactTokensForTokens(
    rewards,
    0,
    swapPath,
    address(this),
    type(uint256).max
);

https://docs.uniswap.org/contracts/v2/reference/smart-contracts/router-02#swapexacttokensfortokens

the second parameter is amountOutMin, means The minimum amount of output tokens that must be received for the transaction not to revert.

setting it to 0 meaning no slippage control is in-place to avoid frontrunning / sandwitch attack (which is in still common in ethereum)

Impact

Lose of fund from sandwitch attack when swaping token because of lack of slippage control

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/CurveSpell.sol#L162-L176

Tool used

Manual Review

Recommendation

We recommend the protocol add slipagge control in CurveSpell Uniswap V2 Swap

Duplicate of #121