Closed sherlock-admin3 closed 3 months ago
I think at least ytAmount
is issued.
In this line, router computes wethDeposit
to mint at least ytAmount
based on current scale. It means wethDeposit
might be changed due to slippage but the maxEthSpent
guarantees amount to spend.
uint256 wethDeposit = TrancheMathHelper.getApproxUnderlyingNeededByYt({pt: pt, ytDesired: ytAmount, approx: approx});
Later, router issues PT and YT. At this point, router mints ytAmount
of YT.
uint256 pyIssued = ITranche(pt).issue(address(this), wethDeposit);
If it doesn't make sense, can you show us PoC?
request poc
PoC requested from @0502lian
Requests remaining: 3
no
medium
No slippage check in
swapETHForYt
function can lead to slippage losses during swapSummary
No slippage check in
swapETHForYt
function can lead to slippage losses during swapVulnerability Detail
The ytAmount is the amount of YT tokens that user wants to receive. But the acture amount of YT tokens that user will receive is pyIssued.
Throughout the entire swap process, involving token swaps across multiple pools, the slippage protection parameter was not used. The maxEthSpent only guarantees the maximum amount of ETH spent, but it does not guarantee the minimum amount of YT tokens received.
Impact
Leading to slippage losses during swap
Code Snippet
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/metapool-router/src/MetapoolRouter.sol#L212C1-L266C6 https://github.com/sherlock-audit/2024-05-napier-update/blob/main/metapool-router/src/MetapoolRouter.sol#L282C5-L348C6
Tool used
Manual Review
Recommendation
Adding the ytMinimum to ensure that the minimum amount of YT tokens must be received