search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

nikolap - No slippage protection when minting a position #35

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

nikolap

high

No slippage protection when minting a position

Summary

No slippage protection was set when minting a position.

Vulnerability Detail

Setting amount0Min and amount1Min to zero. A function calling mint with no slippage protection would be vulnerable to a frontrunning attack designed to execute the mint call at an inaccurate price.

Impact

As there's no safety-net preventing the slippage from a frontrunner. The intent of minting a desired amount and what actually has been minted could in fact lead to serious unintentional interference from the contract leading to substantial loses in the process.

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/42ef5f0eac1bc954e888cf5bfb85cbf24c08ec76/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L314

Tool used

Manual Review

Recommendation

Add another field to the contract where the owner can set the expected percentage minted e.g.

amount0Min: _amount0 * 0.95
amount1Min: _amount1 * 0.95
...

Duplicate of #8

sherlock-admin3 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

WildSniper commented:

invalid due to impossibility of such attack with tick lower and upper as params