No slippage checks for deposit/mint/withdraw/redeem
Summary
The amount that a user receives from an ERC4626 vault is dependent upon the amount of assets and shares that currently exist. When a user submits a transaction, there is no guarantee that the exchange rate will remain the same by the time the transaction is included in a block.
Per EIP4626:
"If implementors intend to support EOA account access directly, they should consider adding an additional function call for deposit/mint/withdraw/redeem with the means to accommodate slippage loss or unexpected deposit/withdrawal limits, since they have no other means to revert the transaction if the exact output amount is not achieved."
Vulnerability Detail
Market does not include slippage functionality on deposit/mint/withdraw/redeem functions.
Impact
Users may receive less assets/shares that they expect due to changes between when they submit a transaction and when the transaction is confirmed.
function withdraw(uint256 assets, address receiver, address owner) public override returns (uint256 shares) {
auditor.checkShortfall(this, owner, assets);
RewardsController memRewardsController = rewardsController;
if (address(memRewardsController) != address(0)) memRewardsController.handleDeposit(owner);
shares = super.withdraw(assets, receiver, owner);
emitMarketUpdate();
}
/// @notice Redeems the owner's floating pool assets to the receiver address.
/// @dev Makes sure that the owner doesn't have shortfall after withdrawing.
/// @param shares amount of shares to be redeemed for underlying asset.
/// @param receiver address to which the assets will be transferred.
/// @param owner address which owns the floating pool assets.
/// @return assets amount of underlying asset that was withdrawn.
function redeem(uint256 shares, address receiver, address owner) public override returns (uint256 assets) {
auditor.checkShortfall(this, owner, previewRedeem(shares));
RewardsController memRewardsController = rewardsController;
if (address(memRewardsController) != address(0)) memRewardsController.handleDeposit(owner);
assets = super.redeem(shares, receiver, owner);
emitMarketUpdate();
}
Tool used
Manual Review
Recommendation
Include a slippage parameter in withdraw/redeem functions. Add a new external function to deposit and mint with a minAmountOut parameter.
BowTiedOriole
medium
No slippage checks for deposit/mint/withdraw/redeem
Summary
The amount that a user receives from an ERC4626 vault is dependent upon the amount of assets and shares that currently exist. When a user submits a transaction, there is no guarantee that the exchange rate will remain the same by the time the transaction is included in a block.
Per EIP4626:
"If implementors intend to support EOA account access directly, they should consider adding an additional function call for deposit/mint/withdraw/redeem with the means to accommodate slippage loss or unexpected deposit/withdrawal limits, since they have no other means to revert the transaction if the exact output amount is not achieved."
Vulnerability Detail
Market does not include slippage functionality on deposit/mint/withdraw/redeem functions.
Impact
Users may receive less assets/shares that they expect due to changes between when they submit a transaction and when the transaction is confirmed.
Code Snippet
ERC4626#L46-L73
Market#L725-L745
Tool used
Manual Review
Recommendation
Include a slippage parameter in withdraw/redeem functions. Add a new external function to deposit and mint with a
minAmountOut
parameter.