Open sherlock-admin opened 1 year ago
Removed: comment left for traceability I think this is not a valid medium. As the mintForToken function uses oracle prices, which return a weighted average price, it should not be that easy manipulated by Frontrunning.
You've deleted an escalation for this issue.
Escalate for 10USDC I think this is not a valid medium. As the mintForToken function uses oracle prices, which return a weighted average price, it should not be that easy manipulated by Frontrunning.
Weighted average prices does not guarantee that trades (minting in this case) executed based on the average price will be free from slippage. TWAP's are obviously vulnerable to slippage attacks. I also would like to remind that there is another valid issue due to the lack of slippage parameter in uniRouter. (That function also uses TWAP)
Okay, I think you are right. I removed the escalation
Kose
high
Because of missing slippage parameter, mintForToken() can be front-runned
Summary
Missing slippage parameter in
mintForToken()
makes it vulnerable to front-run attacks and exposes users to unwanted slippage.Vulnerability Detail
The current implementation of the
mintForToken()
function lacks a parameter for controlling slippage, which makes it vulnerable to front-run attacks. Transactions involving large volumes are particularly at risk, as the minting process can be manipulated, resulting in price impact. This manipulation allows the reserves of the pool to be controlled, enabling a frontrunner to make the transferred token to appear more valuable than its actual worth. Consequently, when users mint USSD, they may receive USSD that are worth significantly less than the value of their real worth. This lack of slippage control resembles a swap without a limit on value manipulation.Impact
User will be vulnerable to front-run attacks and receive less USSD from their expectation.
Code Snippet
USSD.sol#L150-L167
Tool used
Manual Review
Recommendation
Consider adding a
minAmountOut
parameter.