search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

J4de - All spell's `closePositionFarm` function can be attacked by sandwich attack #74

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

J4de

high

All spell's closePositionFarm function can be attacked by sandwich attack

Summary

All spell's closePositionFarm function can be attacked by sandwich attack

Vulnerability Detail

Take AuraSpell.sol contract as an example.

File: spell/AuraSpell.sol
192         // 4. Swap rewards tokens to debt token
193         for (uint256 i = 0; i < rewardTokens.length; i++) {
194             uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
195             _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
196             swapRouter.swapExactTokensForTokens(
197                 rewards,
198                 0,
199                 swapPath[i],
200                 address(this),
201                 type(uint256).max
202             );
203         }

The closePositionFarm function will replace all rewarded tokens with debt tokens. This can lead to a sandwich attack due to no set minimum number of receive.

Impact

Some of the user's funds were stolen.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L192-L203

Tool used

Manual Review

Recommendation

It is recommended to set the minimum receiving amount or slippage

Duplicate of #121