search

sherlock-audit / 2024-01-napier-judging

9 stars 6 forks source link

Arcanet - No Slippage Protection Spawing YT for UT #66

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

Arcanet

high

No Slippage Protection Spawing YT for UT

Arcanet

high

No Slippage Protection Spawing YT for UT

Summary

Lack of slippage protection in NapierRouter::swapUnderlyingForYt causes users to potentially receive less underlying assets than underlyingOutMin

Vulnerability Detail

By swapping YT for UT INapierPool(pool).swapPtForUnderlying(index, ytOutDesired, address(this), data) it is possible user to receive less then underlyingOutMin UT.

Impact

If market conditions change before the transaction processes, the user can get much worse swap.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier-TeodorBoyadzhiev/blame/181a2eedee21d61a4fbfaf35cde72028b42700ae/v1-pool/src/NapierRouter.sol#L297

    function swapUnderlyingForYt(
        address pool,
        uint256 index,
        uint256 ytOutDesired,
-        uint256 underlyingInMax,
+        uint256 underlyingOutMin,
        address recipient,
        uint256 deadline
    ) external payable override nonReentrant checkDeadline(deadline) returns (uint256) {

https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L373

- mstore(add(data, 0x120), underlyingInMax)
+ mstore(add(data, 0x120), underlyingOutMin)

https://github.com/sherlock-audit/2024-01-napier-TeodorBoyadzhiev/blame/181a2eedee21d61a4fbfaf35cde72028b42700ae/v1-pool/src/NapierRouter.sol#L382

    uint256 received = INapierPool(pool).swapPtForUnderlying( //returns (uint256 underlyingOut)
            index,
            ytOutDesired, // ptInDesired
            address(this), // this contract will receive underlying token from pool
            data
        );
+        if (received < underlyingOutMin) revert Errors.RouterInsufficientUnderlyingOut();

        // Underlying pulled = underlying deposited - underlying received from swap
        return uDeposit - received;

Tool used

Manual Review

Recommendation

You should include condition so the user only has to receive not less then specific amount

sherlock-admin commented 7 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. We have a slippage check

takarez commented:

valid: medium(8)