Bandit - `minLiquidity` does not protect from curve triCryptoPool liquidity sandwiching

[sherlock-admin2]

Bandit

high

minLiquidity does not protect from curve triCryptoPool liquidity sandwiching

Summary

The minLiquidity slippage parameter is effective for stopping liqudiity sandwiching attacks for the Naiper Pool but does not prevent liquidity sandwich attacks on the curve tricryptoPool.

Vulnerability Detail

In NapierRouter.sol, addLiquidity has slippage controlled by the liquidityMin parameter. This only provides slippage protection for the NapierPool liquidity. However, there is also liquidity added to the curve TriCryptoPool. The triCryptoPool liquidity deposit is vulnerable to a sandwhich attack where this sequence of frontrunning steps happens:

1. attacker manipulates curve pool price
2. the victim deposits liquidity
3. attacker swaps back through the newly added liquidity making arbitrage profits through the extra liquidity.

Optional reference for the liquidity sandwiching attack: https://medium.com/@alexanderzaidelson/the-reverse-lp-sandwich-arbitrage-73a081e68f1f

This also applies for other functions that add liquidity to the triCryptoPool.

Impact

Losses to sandwiching due to lack of slippage protection for curve tricrypto liquidity deposits.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L461

Tool used

Manual Review

Recommendation

Add a curve slippage parameter to the addLiquidity function and other functions in the router which add liquidity to the curve tricrypto pool.

Alternatively, since the assets in the triCryptoPool should all be close in price, enforce a maximum deviation in AMM derived price and revert if the deviation is above that.

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. We have a slippage check

takarez commented:

valid: slippage check isnt in place for it; medium(13)