Closed sherlock-admin3 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because users can always optionally call deposit() by pre-converting DAI/sDAI, ETH/stETH, ETH/eTH at their control
zarkk01
high
No slippage protection on convert functions in
SophonFarming
.Summary
User can be front-runned on the
deposit
procedure and due to the conversion oftoken
tolpToken
lose instantly lot of value leading to less points and loss of funds for him.Vulnerability Detail
Users can deposit their funds in the
SophonFarming
contract calling the relevantdepositXXX
funcion and convert their funds to thelpToken
before the deposital. However, in this procedure there is no slippage protection that will guarantee that the user will got entitled to the same amount oflpToken
as the amount of funds that he deposited and, also, the points that he deserved. For example, let's take the scenario that user callsdepositStEth()
function and wants to deposit 1stETH
. Then the_depositPredefinedAsset()
function will be called that will try to convert the 1stETH
to awstETH
amount calling_stEthTOwstEth()
wraping
thestETH
. However, nowhere thefinalAmount
returned is compared to be at least close to theinitalAmount
inseETH
. That means that a malicious front-runner could perfom an attack on theWstETH
part and make thefinalAmount
a lot less than expected bywrapping
his big amount(maybe flash loaned) and then back running the user's transaction. This is totally possible, since thewrap
function lies on the pooled ETH as we can see in the line 1076 of WstETH contract. This attack can happen on otherdepositXXX
functions that convert thetoken
tolpToken
too but for simplicity we analyzed only this.Impact
MEV Front-running attacks can be performed on the convert functions and diminish instantly the deposited amount of user and also the reward points that he is entitled to.
Code Snippet
All
depositXXX
functions : https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L796 https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L808 https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L821 https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L832 https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L843 https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L854Tool used
Manual code inspection
Recommendation
Consider adding a slippage protection mechanism in convert functions in which the user will select the minimum amount of
lpToken
that he will accept of the conversion.