The CurveSpell.closePositionFarm() function lacks a deadline check, making it vulnerable to sandwich attacks that can result in users losing their assets
Vulnerability Detail
The CurveSpell.closePositionFarm() params does not include a deadline currently. Inside the CurveSpell.closePositionFarm() function swaps are executed through the swapRouter.
Because Front-running is a key aspect of AMM design, deadline is a useful tool to ensure that your tx cannot be “saved for later”.
Due to the removal of the check, it may be more profitable for a validator to deny the transaction from being added until the transaction incurs the maximum amount of slippage.
Bauer
medium
Lack of deadline for uniswap AMM
Summary
The
CurveSpell.closePositionFarm()
function lacks a deadline check, making it vulnerable to sandwich attacks that can result in users losing their assetsVulnerability Detail
The
CurveSpell.closePositionFarm()
params does not include a deadline currently. Inside theCurveSpell.closePositionFarm()
function swaps are executed through the swapRouter.Because Front-running is a key aspect of AMM design, deadline is a useful tool to ensure that your tx cannot be “saved for later”.
Due to the removal of the check, it may be more profitable for a validator to deny the transaction from being added until the transaction incurs the maximum amount of slippage.
Impact
Sandwich attacks cause users to lose assets
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/CurveSpell.sol#L143-L174
Tool used
Manual Review
Recommendation
The
CurveSpell.closePositionFarm()
function should accept a user-input deadline paramDuplicate of #145