Lack of slippage protection in NapierRouter::swapUnderlyingForYt causes users to potentially receive less underlying assets than underlyingOutMin
Vulnerability Detail
By swapping YT for UT INapierPool(pool).swapPtForUnderlying(index, ytOutDesired, address(this), data) it is possible user to receive less then underlyingOutMin UT.
Impact
If market conditions change before the transaction processes, the user can get much worse swap.
uint256 received = INapierPool(pool).swapPtForUnderlying( //returns (uint256 underlyingOut)
index,
ytOutDesired, // ptInDesired
address(this), // this contract will receive underlying token from pool
data
);
+ if (received < underlyingOutMin) revert Errors.RouterInsufficientUnderlyingOut();
// Underlying pulled = underlying deposited - underlying received from swap
return uDeposit - received;
Tool used
Manual Review
Recommendation
You should include condition so the user only has to receive not less then specific amount
Arcanet
high
No Slippage Protection Spawing YT for UT
Arcanet
high
No Slippage Protection Spawing YT for UT
Summary
Lack of slippage protection in
NapierRouter::swapUnderlyingForYt
causes users to potentially receive less underlying assets thanunderlyingOutMin
Vulnerability Detail
By swapping YT for UT
INapierPool(pool).swapPtForUnderlying(index, ytOutDesired, address(this), data)
it is possible user to receive less thenunderlyingOutMin
UT.Impact
If market conditions change before the transaction processes, the user can get much worse swap.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier-TeodorBoyadzhiev/blame/181a2eedee21d61a4fbfaf35cde72028b42700ae/v1-pool/src/NapierRouter.sol#L297
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L373
https://github.com/sherlock-audit/2024-01-napier-TeodorBoyadzhiev/blame/181a2eedee21d61a4fbfaf35cde72028b42700ae/v1-pool/src/NapierRouter.sol#L382
Tool used
Manual Review
Recommendation
You should include condition so the user only has to receive not less then specific amount