Breeje - No Slippage Protection while Swapping tokens through uniswap router

[sherlock-admin]

Breeje

high

No Slippage Protection while Swapping tokens through uniswap router

Summary

While Closing Position Farm in AuraSpell, convexSpell and curveSpell, there is a use of Uniswap Router which uses swapExactTokensForTokens method call to Swap rewards tokens to debt token. But the value of amountOutMinimum is set to be zero which allows 100% Value Slippage.

Vulnerability Detail

In closePositionFarm method of all the 3 spell contracts, there is no slippage control while swapping the reward tokens into debt tokens which means that a malicious actor could, e.g., trivially insert transactions before and after the naive transaction (using the infamous "sandwich" attack), causing the smart contract to trade at a radically worse price, profit from this at the caller's expense, and then return the contracts to their original state, all at a low cost.

Impact

Loss of Funds.

Code Snippet

File: AuraSpell.sol

  swapRouter.swapExactTokensForTokens(
      rewards,
      0,
      swapPath,
      address(this),
      type(uint256).max
  );

Link to Code

File: ConvexSpell.sol

  swapRouter.swapExactTokensForTokens(
      rewards,
      0,
      swapPath,
      address(this),
      type(uint256).max
  );

Link to Code

File: CurveSpell.sol

  swapRouter.swapExactTokensForTokens(
      rewards,
      0,
      swapPath,
      address(this),
      type(uint256).max
  );

Link to Code

Tool used

Manual Review

Recommendation

Use a require check at the end of swap to make sure that slippage is not higher than user allowed slippage.

Duplicate of #121