search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

0x52 - FlashLoanLiquidate#JOJOFlashLoan doesn't allow user to specify any slippage conditions #420

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0x52

medium

FlashLoanLiquidate#JOJOFlashLoan doesn't allow user to specify any slippage conditions

Summary

FlashLoanLiquidate#JOJOFlashLoan utilizes a swap to swap collateral to USDC but doesn't allow the user to specify a minimum out so they have no way to limit slippage.

Vulnerability Detail

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/flashloanImpl/FlashLoanLiquidate.sol#L53-L72

    (LiquidateData memory liquidateData, bytes memory originParam) = abi
        .decode(param, (LiquidateData, bytes));
    (
        address approveTarget,
        address swapTarget,
        address liquidator,
        bytes memory data
    ) = abi.decode(originParam, (address, address, address, bytes));
    IERC20(asset).approve(approveTarget, amount);
    (bool success, ) = swapTarget.call(data);
    if (success == false) {
        assembly {
            let ptr := mload(0x40)
            let size := returndatasize()
            returndatacopy(ptr, 0, size)
            revert(ptr, size)
        }
    }

    uint256 USDCAmount = IERC20(USDC).balanceOf(address(this));

Above the swap for FlashLoanLiquidate#JOJOFlashLoan doesn't allow the user to specify any slippage, allowing all swaps to be sandwich attacked and all liquidator profit stolen.

Impact

Swaps inside liquidate can be sandwiched due to no slippage protection

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/flashloanImpl/FlashLoanLiquidate.sol#L46-L96

Tool used

Manual Review

Recommendation

Add a minOut parameter

Duplicate of #373