No Slippage Protection while Swapping tokens through uniswap router
Summary
While Closing Position Farm in AuraSpell, convexSpell and curveSpell, there is a use of Uniswap Router which uses swapExactTokensForTokens method call to Swap rewards tokens to debt token. But the value of amountOutMinimum is set to be zero which allows 100% Value Slippage.
Vulnerability Detail
In closePositionFarm method of all the 3 spell contracts, there is no slippage control while swapping the reward tokens into debt tokens which means that a malicious actor could, e.g., trivially insert transactions before and after the naive transaction (using the infamous "sandwich" attack), causing the smart contract to trade at a radically worse price, profit from this at the caller's expense, and then return the contracts to their original state, all at a low cost.
Breeje
high
No Slippage Protection while Swapping tokens through uniswap router
Summary
While Closing Position Farm in
AuraSpell,convexSpellandcurveSpell, there is a use of Uniswap Router which usesswapExactTokensForTokensmethod call to Swap rewards tokens to debt token. But the value ofamountOutMinimumis set to be zero which allows 100% Value Slippage.Vulnerability Detail
In
closePositionFarmmethod of all the 3 spell contracts, there is no slippage control while swapping the reward tokens into debt tokens which means that a malicious actor could, e.g., trivially insert transactions before and after the naive transaction (using the infamous "sandwich" attack), causing the smart contract to trade at a radically worse price, profit from this at the caller's expense, and then return the contracts to their original state, all at a low cost.Impact
Loss of Funds.
Code Snippet
Link to Code
Link to Code
Link to Code
Tool used
Manual Review
Recommendation
Use a require check at the end of swap to make sure that slippage is not higher than user allowed slippage.
Duplicate of #121