0x52 - ConvexSpell#closePositionFarm removes liquidity without any slippage protection
Opened this issue · 2 comments
sherlock-admin commented
0x52
medium
ConvexSpell#closePositionFarm removes liquidity without any slippage protection
Summary
ConvexSpell#closePositionFarm removes liquidity without any slippage protection allowing withdraws to be sandwiched and stolen. Curve liquidity has historically been strong but for smaller pairs their liquidity is getting low enough that it can be manipulated via flashloans.
Vulnerability Detail
ICurvePool(pool).remove_liquidity_one_coin(
amountPosRemove,
int128(tokenIndex),
0
);
Liquidity is removed as a single token which makes it vulnerable to sandwich attacks but no slippage protection is implemented. The same issue applies to CurveSpell.
Impact
User withdrawals can be sandwiched
Code Snippet
Tool used
Manual Review
Recommendation
Allow user to specify min out
Gornutz commented
IAm0x52 commented
Fix calculates minOut incorrectly because it fails to multiply by virtualPrice