search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

no - No slippage parameter on Velodrome `_mintPosition` can be exploited by MEV #97

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

no

high

No slippage parameter on Velodrome _mintPosition can be exploited by MEV

Summary

No slippage parameter on Velodrome _mintPosition can be exploited by MEV

Vulnerability Detail

function _mintPosition(int24 _tickLower, int24 _tickUpper, uint256 _amount0, uint256 _amount1, bool _mainPosition) private {
        INftPositionManager.MintParams memory mintParams = INftPositionManager.MintParams({
            token0: lpToken0,
            token1: lpToken1,
            tickSpacing: _tickDistance(),
            tickLower: _tickLower,
            tickUpper: _tickUpper,
            amount0Desired: _amount0,
            amount1Desired: _amount1,
@>            amount0Min: 0,
@>            amount1Min: 0,
            recipient: address(this),
@>            deadline: block.timestamp,
@>            sqrtPriceX96: 0
        });

        (uint256 nftId,,,) = INftPositionManager(nftManager).mint(mintParams);

        if (_mainPosition) positionMain.nftId = nftId;
        else positionAlt.nftId = nftId;

        IERC721(nftManager).approve(gauge, nftId);
    }

Due to the lack of slippage parameter an MEV attacker could sandwich attack the _mintPosition to return fewer output tokens to the protocol than would otherwise be returned. For StrategyPassiveManagerVelodrome the reduced output tokens applies to the liquidity.

Impact

Due to the lack of slippage parameter an MEV attacker could sandwich attack the _mintPosition to return fewer output tokens to the protocol than would otherwise be returned.

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L305C1-L327C6

Tool used

Manual Review

Recommendation

add slippage parameter

Duplicate of #8

sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

WildSniper commented:

invalid due to impossibility of such attack with tick lower and upper as params