You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[M-7] The slippage check on the destination is only done if the first action is deposit/withdrawal
Description
The slippage check is only performed if the first action is a deposit or withdrawal, not for all actions.
ConnextRouter.sol
_accountForSlippage()
if (action == Action.Deposit || action == Action.Payback)
This covers all cases where a user bridges an asset, except in cases where the received funds are used in a nested action.
For example:
xReceive with X amount of funds.
2 .Bundle : 1. permitWithdraw() 2. withdraw(Y) 3. xCallWithCallData(Deposit (X + Y))
Fuji Team responded to this lead with following : Response:
In this case after the 3rd action xCallwithCallData, on the destination chain the slippage will be checked on a deposit.
While it is true that slippage would be checked at the final destination, that check would occur for X+ Y in terms of nested xCall slippage parameters, not on X in terms of the initial xCAll. Therefore, the contract would accept any X slippage and execute an xCall to the final destination, missing a required check on the first level.
If X + Y does not fall within the slippage range, the call would revert at the final destination. However, the user's position on the middle chain would already be withdrawn, and they would be unable to take any action to rectify the situation.
Remediation to consider
Consider checking for slippage in xReceive whenever the contract receives any funds.
To avoid looping through all actions to get the amount, consider sending AmountMinOut instead of slippage in calldata.
Note if you decide to solve #455 the hardcoded slippage protections of _crossTransferWithCalldata won’t allow adapting.
by removing the explicit slippage protection, this issue won't be applicable anymore.
The text was updated successfully, but these errors were encountered:
[M-7] The slippage check on the destination is only done if the first action is deposit/withdrawal
Description
The slippage check is only performed if the first action is a deposit or withdrawal, not for all actions.
This covers all cases where a user bridges an asset, except in cases where the received funds are used in a nested action.
For example:
xReceivewith X amount of funds.2 .Bundle :
1. permitWithdraw() 2. withdraw(Y) 3. xCallWithCallData(Deposit (X + Y))Fuji Team responded to this lead with following :
Response:
In this case after the 3rd action xCallwithCallData, on the destination chain the slippage will be checked on a deposit.
While it is true that slippage would be checked at the final destination, that check would occur for X+ Y in terms of nested
xCallslippage parameters, not on X in terms of the initialxCAll. Therefore, the contract would accept any X slippage and execute anxCallto the final destination, missing a required check on the first level.If X + Y does not fall within the slippage range, the call would revert at the final destination. However, the user's position on the middle chain would already be withdrawn, and they would be unable to take any action to rectify the situation.
Remediation to consider
Consider checking for slippage in
xReceivewhenever the contract receives any funds.To avoid looping through all actions to get the amount, consider sending
AmountMinOutinstead ofslippagein calldata.Note if you decide to solve #455 the hardcoded slippage protections of _crossTransferWithCalldata won’t allow adapting.
by removing the explicit slippage protection, this issue won't be applicable anymore.
The text was updated successfully, but these errors were encountered: