Only ensure the Lp is repaid when close the position invites MEV bot #21
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-26
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L399
Vulnerability details
Impact
Only ensure the Lp is repaid when close the position invites MEV bot
Proof of Concept
in the function _closePosition
the token is swapped to repay LP (lender)
the code only ensure the swapped out amount can repay the LP
However, this is not sufficient from protecting MEV frontrunning
suppose the repayment amonut is 100 USDC
the user swap from 1 WETH to USDC
the expect output without frontrunning is
1 WETH get swapped to 2200 USDC
100 UDSC is used to add liquidity to repay the LP
the borrower get 2100 USDC refund (minues the interest)
however, basically it means the minOutput slippage protection is set to 100 USDC,
the MEV bot can still frontrun the transaction to steal fund that belongs to the refund
basically ensure LP is repaid and set LP repayment amount does not protect MEV bot frunning
we can use the example above
Tools Used
Manual Review
Recommended Mitigation Steps
revisit slippage control when position is closed, user should able to supply the parameter amountToMinimum so parameter amountToMinimum is not 0
if transaction output amount does not cover the repayment, transaction revert, otherwise, refund excessive amount leftover fund
Assessed type
MEV
The text was updated successfully, but these errors were encountered: