Skip to content
This repository has been archived by the owner on Nov 12, 2023. It is now read-only.

Bauer - AuraSpell Vault.exitPool without any slippage protection #15

Closed
sherlock-admin opened this issue May 11, 2023 · 2 comments
Closed

Bauer - AuraSpell Vault.exitPool without any slippage protection #15

sherlock-admin opened this issue May 11, 2023 · 2 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

Bauer

high

AuraSpell Vault.exitPool without any slippage protection

Summary

When users exit the pool from a Balancer pool with minAmountsOut set to 0, they may be vulnerable to sandwich attacks

Vulnerability Detail

The AuraSpell.closePositionFarm() function is used for closing a leveraged position. Inside the function,the protocol remove liquidity from a Balancer pool and expects to receive at least the minimum amount of tokens specified in minAmountsOut. However ,the minAmountsOut is [0,0],it is vulnerable to sandwich attacks.

 uint[] memory minAmountsOut = new uint[](2);
            wAuraPools.getVault(lpToken).exitPool(
                IBalancerPool(lpToken).getPoolId(),
                address(this),
                address(this),
                IBalancerVault.ExitPoolRequest(tokens, minAmountsOut, "", false)
            );

As the code below, the Vault protocol will check the minimum amount of tokens the user expects to get out of the Pool.

 function _processExitPoolTransfers(
        address payable recipient,
        PoolBalanceChange memory change,
        bytes32[] memory balances,
        uint256[] memory amountsOut,
        uint256[] memory dueProtocolFeeAmounts
    ) private returns (bytes32[] memory finalBalances) {
        finalBalances = new bytes32[](balances.length);
        for (uint256 i = 0; i < change.assets.length; ++i) {
            uint256 amountOut = amountsOut[i];
            _require(amountOut >= change.limits[i], Errors.EXIT_BELOW_MIN);

Impact

Users may be vulnerable to sandwich attacks when exiting the pool

Code Snippet

https://github.com/sherlock-audit/2023-05-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L183-L190
https://dashboard.tenderly.co/tx/mainnet/0x81e61ccf1e4190dd81cc73bbaac497d53d367e4c5804790fa168044df578d525/debugger?trace=0.2

Tool used

Manual Review

Recommendation

Set the minimum amount of tokens the user expects to get out of the Pool
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels May 23, 2023
@github-actions github-actions bot mentioned this issue May 23, 2023
Closed
@Gornutz Gornutz added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label May 24, 2023
@Gornutz
Copy link

Gornutz commented May 24, 2023

Duplicate of 121 from Update competition #1

@hrishibhat
Copy link
Contributor

Duplicate of 121 from the previous contest.
sherlock-audit/2023-04-blueberry-judging#121

@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @Gornutz @sherlock-admin