d17vv - No slippage protection in the `_mintPosition`

[sherlock-admin4]

d17vv

medium

No slippage protection in the _mintPosition

Summary

The StrategyPassiveManagerVelodrome::_mintPosition function mints a new liquidity position using Uniswap V3. However, this function lacks slippage protection. According to the Uniswap V3 Development Book, slippage protection should be implemented in the mint function to ensure that the liquidity provided is proportional to the current price and that the user is not exposed to unexpected token amounts due to price fluctuations.

Vulnerability Detail

The StrategyPassiveManagerVelodrome::_mintPosition does not include slippage protection. Specifically, it sets amount0Min and amount1Min to 0, meaning there are no checks to ensure the amounts of tokens provided are within an acceptable range considering slippage. This can result in liquidity providers receiving fewer tokens than expected, causing potential losses.

Impact

Medium. With no protection, liquidity providers may experience significant slippage during the minting process. This will create scenarios where the actual amounts of tokens provided to the liquidity pool are less than anticipated, resulting in financial loss and reduced efficiency of the liquidity provision.

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L305-L327

Tool used

Manual Review

Recommendation

Implement slippage protection in the _mintPosition function by setting appropriate amount0Min and amount1Min values.

Duplicate of #8

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

WildSniper commented:

invalid due to impossibility of such attack with tick lower and upper as params