okolicodes - No Slippage Parameter where the `Minimum of tokens` to get after a `swap` is done is set to `zero` by default, `swaps` are prone to `sandwich attacks`. #131
The amount of EMCs(eg USD1, USD91) minted and received by a user when swapping with their collateral/USD/(other EMCs), can be decreased to an unlimited extent by manipulating the reserves of the pool leading to the user getting fewer EMCs(eg USD1, USD91) than requested.
Vulnerability Detail
This issue is in the Unitas.sol contract at the swap function.
There is no parameter that allows a user to set the minimum amount of EMCs they should get after swapping their collateral for EMCs, and in a situation like this the slippage is set to zero by default meaning the user can get as low as zero amount of EMCs for any amount of collateral/Tokens, which will lead to loss of funds.
POC
Here a user is expected send collateral/Tokens to the pool and the equivalent amount of EMCs are minted and to be sent to the user. However, the user can’t specify the minimum amount of EMCs that they would accept. A frontrunner/MEV can then manipulate the reserves of the pool via FLASHLOANS in order to make the reserves appear more valuable than it really is so the user receives EMCs that are worth much less than what collateral is worth.
Impact
Users who trying to swaps the funds for EMCs, are left unprotected from slippage attacks as they could get as low as zero amount of EMCs when the swap with their tokens. leading to loss of funds due to MEV/FlashLoan attacks
Add an argument for the minimum amount of tokens to get after a swap for an equivalent collateral/Tokens to enable the users secure themselves against such attacks.
okolicodes
high
No Slippage Parameter where the
Minimum of tokensto get after aswapis done is set tozeroby default,swapsare prone tosandwich attacks.Line with Bug
Summary
The amount of
EMCs(eg USD1, USD91)minted and received by a user when swapping with theircollateral/USD/(other EMCs), can be decreased to an unlimited extent by manipulating the reserves of the pool leading to the user getting fewerEMCs(eg USD1, USD91)than requested.Vulnerability Detail
This issue is in the
Unitas.solcontract at theswapfunction.There is no parameter that allows a user to set the minimum amount of
EMCsthey should get after swapping their collateral forEMCs, and in a situation like this the slippage is set tozeroby default meaning the user can get as low aszeroamount ofEMCsfor any amount ofcollateral/Tokens, which will lead to loss of funds. POC Here a user is expected sendcollateral/Tokensto the pool and the equivalent amount ofEMCsare minted and to be sent to the user. However, the user can’t specify the minimum amount ofEMCsthat they would accept. Afrontrunner/MEVcan then manipulate the reserves of the pool viaFLASHLOANSin order to make the reserves appear more valuable than it really is so the user receivesEMCsthat are worth much less than what collateral is worth.Impact
Users who trying to swaps the
fundsforEMCs, are left unprotected fromslippage attacksas they could get as low aszeroamount ofEMCswhen the swap with their tokens. leading to loss of funds due toMEV/FlashLoanattacksCode Snippet
swapFunction ~ https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#LL208C3-L237C6Tool used
Manual Review
Recommendation
Add an argument for the minimum amount of
tokensto get after aswapfor an equivalentcollateral/Tokensto enable the users secure themselves against suchattacks.Duplicate of #88