search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

zraxx - Function `deposit` and `mint` have no slippage protection. #79

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

zraxx

Medium

Function deposit and mint have no slippage protection.

Summary

The missing slippage protection for deposit and mint in SNst.sol will cause user unexpected deposit and mint.

Root Cause

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/sdai/src/SNst.sol#L357-L360 https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/sdai/src/SNst.sol#L371-L374 No slippage protection for function deposit and mint.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

When depositing, users are unable to obtain the expected share. When minting, users pay more assets than expected. Due to the lack of slippage protection, this could cause users to lose more than 1% of their assets.

PoC

No response

Mitigation

Add the slippage protection.

sunbreak1211 commented 1 month ago

This issue doesn't make any sense, this contract is prepared to deposit an X amount of NST and later be able to withdraw >= X amount (excepting edge cases where a rounding down and a lack of nsr > RAY could provoke to be able to withdraw slightly less). So this is not a swap function or similar where you want to put boundaries as you could get caught in a bad trade.