Skip to content
This repository has been archived by the owner on Nov 5, 2023. It is now read-only.

0x52 - Users are forced to swap all reward tokens with no slippage protection #121

Open
sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Open

0x52 - Users are forced to swap all reward tokens with no slippage protection #121

sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

0x52

high

Users are forced to swap all reward tokens with no slippage protection

Summary

AuraSpell forces users to swap their reward tokens to debt token but doesn't allow them to specify any slippage values.

Vulnerability Detail

AuraSpell.sol#L193-L203

    for (uint256 i = 0; i < rewardTokens.length; i++) {
        uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
        _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
        swapRouter.swapExactTokensForTokens(
            rewards,
            0,
            swapPath[i],
            address(this),
            type(uint256).max
        );
    }

Above all reward tokens are swapped and always use 0 for min out meaning that deposits will be sandwiched and stolen.

Impact

All reward tokens can be sandwiched and stolen

Code Snippet

AuraSpell.sol#L149-L224

Tool used

Manual Review

Recommendation

Allow user to specify slippage parameters for all reward tokens
@github-actions github-actions bot added High A valid High severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels May 3, 2023
This was referenced May 3, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@Gornutz Gornutz added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels May 10, 2023
@sherlock-admin sherlock-admin mentioned this issue May 11, 2023
Closed
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label May 20, 2023
@hrishibhat hrishibhat mentioned this issue May 25, 2023
Closed
@Gornutz
Copy link

Gornutz commented Jun 12, 2023

Blueberryfi/blueberry-core@2d4e617

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Jun 16, 2023

Needs a similar fix for ConvexSpell

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Gornutz @sherlock-admin @IAm0x52