4 matches found
Upgraded Q -> 2 from #625 [1677633526031]
Judge has assessed an item in Issue 625 as 2 risk. The relevant finding follows: 4. lastHarvest variable inside AdapterBase will never be updated after a successful harvest,this will create big problems related to all the harvest function inside AdapterBase by making this function unusable,in fac...
Yield may be stolen by MEV bot by sandwiching harvest()
Lines of code Vulnerability details Impact Yield may be stolen by MEV bot by sandwiching harvest. Because of minimum output amount of swapping is set to 0. Which mean MEV bot can pump price of AURA token to the highest price before your strategy swap to let you buy AURA token at an incredibly hig...
Harvest is vulnerable to sandwich attack.
Lines of code Vulnerability details Impact Function harvest does multiple swaps from auraBAL - BAL/ETH BPT - WETH - AURA using BalancerVault. But it doesn’t use minAmountsOut or have a check for mimimum return amount. It makes this function vulnerable to sandwich attack. An attacker which can be ...
attacker can lock all the auraBAL rewards in contract address forever and they won't be accessible
Lines of code Vulnerability details Impact auraBAL token is in protected tokens list, so it can't be transferred to bribeProcessor by using sweepRewardToken. function harvest is supposed to call LOCKER.getReward and then swap received auraBAL rewards and deposit them in LOCKER, but it only can do...