search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

Breeje - No Slippage Protection while removing liquidity from Curve Pool #59

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Breeje

high

No Slippage Protection while removing liquidity from Curve Pool

Summary

While Closing Position Farm in convexSpell and curveSpell, there is a use of remove_liquidity_one_coin method in Curve Pool to remove the liquidity. But the value of _min_amount is set to be zero which allow maximum Slippage.

Vulnerability Detail

In closePositionFarm method of all the 3 spell contracts, there is no valid slippage parameter set in remove_liquidity_one_coin method call.

remove_liquidity_one_coin method is used to withdraw a single asset from the pool. It can take the following 3 parameters:

  1. _burn_amount: Amount of LP tokens to burn in the withdrawal.

  2. i: Index value of the coin to withdraw. Can be found using the coins getter method.

  3. _min_amount: Minimum amount of the coin to receive

But in both ConvexSpell and CurveSpell contracts, the value of _min_amount is set to zero which means the contract is allowing to burn all the LP tokens but in return allowing to accept 0 tokens as a withdrawal amount. This leads to High Slippage issue.

Impact

Loss of Funds.

Code Snippet

File: ConvexSpell.sol

  ICurvePool(pool).remove_liquidity_one_coin( 
      amountPosRemove,
      int128(tokenIndex),
      0
  );

Link to Code

File: CurveSpell.sol

  ICurvePool(pool).remove_liquidity_one_coin( 
      amountPosRemove,
      int128(tokenIndex),
      0
  );

Link to Code

Tool used

Manual Review

Recommendation

Use a valid _min_amount value to protect against Maximum Slippage

Duplicate of #124