The VeloSwapUtils::swap function performs swaps with no slippage protection. There are three implementations of this function, all lacking slippage protection. According to the Uniswap V3 Development Book a slippage protection must be applied on swaps as it ensures that users receive a fair minimum amount of output tokens, preventing significant losses due to price fluctuations during the transaction.
Additionally, the swap functions in UniV3Utils (not in scope) also lack slippage protection.
Vulnerability Detail
The VeloSwapUtils library contains three swap functions that perform token swaps using either V2 or V3 paths. In all implementations, the slippage parameter is hardcoded to 0. This means that there is no guarantee of the minimum amount of output tokens that must be received, leaving users vulnerable to significant slippage and potentially receiving far less tokens than expected.
Impact
Medium. While frequent harvesting mitigates the impact, it does not eliminate the risk. Implementing slippage protection is crucial to safeguard the protocol's fee structure and ensure fair and transparent operations.
Modify the functions to accept an additional parameter for the minimum amount of output tokens that the user is willing to accept sqrtPriceLimitX96. The modified functions should then include this parameter when encoding the input for the IVeloRouter::execute function.
d17vv
medium
No slippage protection on swaps
Summary
The VeloSwapUtils::swap function performs swaps with no slippage protection. There are three implementations of this function, all lacking slippage protection. According to the Uniswap V3 Development Book a slippage protection must be applied on swaps as it ensures that users receive a fair minimum amount of output tokens, preventing significant losses due to price fluctuations during the transaction.
Additionally, the swap functions in UniV3Utils (not in scope) also lack slippage protection.
Vulnerability Detail
The
VeloSwapUtils
library contains threeswap
functions that perform token swaps using either V2 or V3 paths. In all implementations, the slippage parameter is hardcoded to0
. This means that there is no guarantee of the minimum amount of output tokens that must be received, leaving users vulnerable to significant slippage and potentially receiving far less tokens than expected.Impact
Medium. While frequent harvesting mitigates the impact, it does not eliminate the risk. Implementing slippage protection is crucial to safeguard the protocol's fee structure and ensure fair and transparent operations.
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/VeloSwapUtils.sol#L22-L41 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/VeloSwapUtils.sol#L44-L54 https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/utils/VeloSwapUtils.sol#L57-L77
Tool used
Manual Review
Recommendation
Modify the functions to accept an additional parameter for the minimum amount of output tokens that the user is willing to accept
sqrtPriceLimitX96
. The modified functions should then include this parameter when encoding the input for theIVeloRouter::execute
function.More info: https://uniswapv3book.com/milestone_3/slippage-protection.html#:~:text=Slippage%20Protection%20in%20Swaps
Duplicate of #8