spell#closePositionFarm executes swapExactTokensForTokens without slippage protection

Summary

AuraSpell/ConvexSpell/CurveSpell#closePositionFarm executes swaps without slippage protection. That will cause a loss of funds because of sandwich attacks.

Vulnerability Detail

As we all know, if the second parameter amountOutMin of the UniswapV2Router02#swapExactTokensForTokens function is set to 0, it is vulnerable to sandwich attacks. AuraSpell/ConvexSpell/CurveSpell#closePositionFarm will internally swap reward tokens into debt tokens for repayment.

//AuraSpell.sol
    // 4. Swap rewards tokens to debt token
        for (uint256 i = 0; i < rewardTokens.length; i++) {
            uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
            _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
            swapRouter.swapExactTokensForTokens(
                rewards,
->              0,      
                swapPath[i],
                address(this),
                type(uint256).max
            );
        }

Impact

swapExactTokensForTokens will be sandwiched causing a loss of funds for users.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L196-L202

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/ConvexSpell.sol#L174-L180

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/CurveSpell.sol#L167-L173

Tool used

Manual Review

Recommendation

Slippage parameters should be included in the tx's calldata and passed to swapExactTokensForTokens.

Duplicate of #121

sherlock-audit / 2023-04-blueberry-judging

nobody2018 - spell#closePositionFarm executes swapExactTokensForTokens without slippage protection #50