Breeje - No Slippage protection in `swap` allows MEV Attack and Loss of Funds while executing Deposit
Closed this issue · 0 comments
Breeje
high
No Slippage protection in swap
allows MEV Attack and Loss of Funds while executing Deposit
Summary
In ExecuteDepositUtils
, swap
method is used in executeDeposit
methods which is vulnerable to MEV Attacks.
Vulnerability Detail
In swap
method, the SwapParams
passed contains minOutputAmount
as Zero. There is no slippage control here which means that a malicious actor could, e.g., trivially insert transactions before and after the naive transaction (using the infamous "sandwich" attack), causing the smart contract to trade at a radically worse price, profit from this at the caller's expense, and then return the contracts to their original state, all at a low cost.
Here's how the attack can happen:
- MEV Bot or any attacker Detect this
swap
transaction in mempool. - It Front-Run the victim’s transaction. Can possibly use Flash Loans for it to maximise the damage.
- As the Pool balance is manipulated, Victim transacts with this pool and suffers higher slippage.
- The attacker then back-runs the victim, and maximize it's profit from the loss of victim which is this migration is our case.
Impact
Loss of Funds.
Code Snippet
File: ExecuteDepositUtils.sol
(address outputToken, uint256 outputAmount) = SwapUtils.swap(
SwapUtils.SwapParams(
params.dataStore, // dataStore
params.eventEmitter, // eventEmitter
params.oracle, // oracle
params.depositVault, // bank
initialToken, // tokenIn
inputAmount, // amountIn
swapPathMarkets, // swapPathMarkets
0, // minOutputAmount
market, // receiver
false // shouldUnwrapNativeToken
)
);
Tool used
Manual Review
Recommendation
Add a valid value for slippage or add a parameter expectedOutputAmount
and check that should be equal to outputToken
.