Because VeloSwapUtils.swap is called by StrategyPassiveManagerVelodrome._chargeFees, and _chargeFees is called by _harvest, and _harvest can be called by anyone. without properly slippage protect, it means the caller, strategist, and beefyFeeRecipient() will receive less rewards
jasonxiale
medium
VeloSwapUtils.swap
doesn't have slippage protectionSummary
The
swap
functions defined inVeloSwapUtils.sol
setamountOutMin
as 0, which means the swap function don't have slippage protection.Vulnerability Detail
Because the first
swap
function is used in StrategyPassiveManagerVelodrome._chargeFees, I will take the first swap as an example.According to StrategyPassiveManagerVelodrome.sol#L493,
_isV3
is true, so the function will fall into if condition. According to the_router
defined in test case, the struct of input should be:So 0 in VeloSwapUtils.sol#L29 means
amountOutMin
.Impact
Because
VeloSwapUtils.swap
is called byStrategyPassiveManagerVelodrome._chargeFees
, and_chargeFees
is called by_harvest
, and_harvest
can be called by anyone. without properly slippage protect, it means thecaller
,strategist
, andbeefyFeeRecipient()
will receive less rewardsCode Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/utils/VeloSwapUtils.sol#L22-L77
Tool used
Manual Review
Recommendation
Duplicate of #8