0x52 - AuraSpell#closePositionFarm requires users to swap all reward tokens through same router

Question

0x52 - AuraSpell#closePositionFarm requires users to swap all reward tokens through same router

sherlock-admin opened this issue 2 years ago · 2 comments

0x52

medium

AuraSpell#closePositionFarm requires users to swap all reward tokens through same router

Summary

AuraSpell#closePositionFarm requires users to swap all reward tokens through same router. This is problematic as it is very unlikely that a UniswapV2 router will have good liquidity sources for all tokens and will result in users experiencing forced losses to their reward token.

Vulnerability Detail

AuraSpell.sol#L193-L203

    for (uint256 i = 0; i < rewardTokens.length; i++) {
        uint256 rewards = _doCutRewardsFee(rewardTokens[i]);
        _ensureApprove(rewardTokens[i], address(swapRouter), rewards);
        swapRouter.swapExactTokensForTokens(
            rewards,
            0,
            swapPath[i],
            address(this),
            type(uint256).max
        );
    }

All tokens are forcibly swapped through a single router.

Impact

Users will be forced to swap through a router even if it doesn't have good liquidity for all tokens

Code Snippet

AuraSpell.sol#L149-L224

Tool used

Manual Review

Recommendation

Allow users to use an aggregator like paraswap or multiple routers instead of only one single UniswapV2 router.

Answer 1 · 2023-06-12T15:31:12.000Z

Blueberryfi/blueberry-core@f0584ec

Answer 2 · 2023-06-16T21:27:09.000Z

ConvexSpell needs similar fix