Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-06-BADGER-FINDINGS-ISSUES-128
HistoryJun 18, 2022 - 12:00 a.m.

Low Value Definition On The Slippage

2022-06-1800:00:00
Code4rena
github.com
3
JSON

Lines of code

Vulnerability details

Impact

Trades can happen at a bad price and lead to receiving fewer tokens than at a fair market price.
The attacker’s profit is the protocol’s loss.

Proof of Concept

MyStrategy contract has low slippage checks which can lead to being vulnerable to sandwich attacks.

A common attack in DeFi is the sandwich attack. Upon observing a trade of asset X for asset Y, an attacker frontruns the victim trade by also buying asset Y, lets the victim execute the trade, and then backruns (executes after) the victim by trading back the amount gained in the first trade. Intuitively, one uses the knowledge that someone’s going to buy an asset, and that this trade will increase its price, to make a profit. The attacker’s plan is to buy this asset cheap, let the victim buy at an increased price, and then sell the received amount again at a higher price afterwards.

In the exitPool call, you have to provide minAmountsOut, the lower limits for the tokens to receive. In short, what are the minimum amounts you would find acceptable, given the amount of BPT you are providing?
A good practice would be to user queryExit in BalancerHelpers to find the current amounts of tokens you would get for your BPT, and then account for some possible slippage.
Let’s say that you want to allow a 1% slippage. After computing how many tokens you expect for a given amount of BPT, you’d apply a factor of 0.99 to all the amounts. These thresholds are important because it’s possible for token amounts to change in the pool between the time you send your transaction and the when your transaction executes.

In the strategy contract, Its hardcoded as 2.

Tools Used

Code Review

            IBalancerVault.ExitPoolRequest memory exitPoolRequest = IBalancerVault.ExitPoolRequest({
                assets: assets,
                minAmountsOut: new uint256[](2),
                userData: abi.encode(ExitKind.EXACT_BPT_IN_FOR_ONE_TOKEN_OUT, balEthBptEarned, BPT_WETH_INDEX),
                toInternalBalance: false
            });

Recommended Mitigation Steps

Add minimum return amount checks based on the queryExit in BalancerHelpers.

Accept a function parameter that can be chosen by the transaction sender, then check that the actually received amount is above this parameter.

Alternatively, check if it’s feasible to send these transactions directly to a miner such that they are not visible in the public mempool.

The text was updated successfully, but these errors were encountered:

All reactions

JSON