0x52 - ConvexSpell#closePositionFarm removes liquidity without any slippage protection

Question

0x52 - ConvexSpell#closePositionFarm removes liquidity without any slippage protection

Opened this issue a year ago · 2 comments

0x52

medium

ConvexSpell#closePositionFarm removes liquidity without any slippage protection

Summary

ConvexSpell#closePositionFarm removes liquidity without any slippage protection allowing withdraws to be sandwiched and stolen. Curve liquidity has historically been strong but for smaller pairs their liquidity is getting low enough that it can be manipulated via flashloans.

Vulnerability Detail

ConvexSpell.sol#L204-L208

        ICurvePool(pool).remove_liquidity_one_coin(
            amountPosRemove,
            int128(tokenIndex),
            0
        );

Liquidity is removed as a single token which makes it vulnerable to sandwich attacks but no slippage protection is implemented. The same issue applies to CurveSpell.

Impact

User withdrawals can be sandwiched

Code Snippet

ConvexSpell.sol#L147-L230

CurveSpell.sol#L143-L223

Tool used

Manual Review

Recommendation

Allow user to specify min out

Answer 1 · 2023-06-12T16:28:27.000Z

Blueberryfi/blueberry-core@46f9448

Answer 2 · 2023-06-16T21:16:55.000Z

Fix calculates minOut incorrectly because it fails to multiply by virtualPrice