Skip to content

_payDebt() Lack of slippage protection #48

New issue
New issue
Closed
Closed
_payDebt() Lack of slippage protection#48
Labels
3 (High Risk)Assets can be stolen/lost/compromised directly🤖_19_groupAI based duplicate group recommendationbugSomething isn't workingduplicate-32satisfactorysatisfies C4 submission criteria; eligible for awardsupgraded by judgeOriginal issue severity upgraded from QA/Gas by judge
@c4-bot-6

Description

@c4-bot-6
c4-bot-6
opened on Jun 3, 2024

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/strategies/StrategyLeverage.sol#L545

Vulnerability details

Vulnerability details

in _payDebt() will perform the following steps

  1. calculate how much amountIn is needed to pay back debtAmount + fee by using the quoteExactOutputSingle() method
  2. call _withdraw(amountIn) to retrieve ierc20A.
  3. call _swap(maxAmountIn = amountIn) to get debtAmount + fee.
      function _payDebt(uint256 debtAmount, uint256 fee) internal {
        _repay(wETHA(), debtAmount);
        // Get a Quote to know how much collateral i require to pay debt
        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
@>          IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
        );    
        
@>      _withdraw(ierc20A(), amountIn, address(this) );

        uint256 output = _swap(
            ISwapHandler.SwapParams(
                ierc20A(),
                wETHA(),
                ISwapHandler.SwapType.EXACT_OUTPUT,
@>              amountIn,
                debtAmount + fee,
                _swapFeeTier,
                bytes("")
            )
        );
        // When there are leftovers from the swap, deposit then back
        uint256 wethLefts = output > (debtAmount + fee) ? output - (debtAmount + fee) : 0;
        if (wethLefts > 0) {
            _supply(wETHA(), wethLefts);
        }
        emit StrategyUndeploy(msg.sender, debtAmount);
    }

The first step to get amountIn uses the real time price, then in the third step the amountIn is used as the Max Amount In.

It's all real-time pricing, and there is no slippage protection

Impact

vault.rebalance()->strategy.harvest() ->_adjustDebt()->_payDebt() Sandwich attack to manipulate prices

Recommended Mitigation

Adding slippage protection: range calculation via TWAP prices

Assessed type

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    3 (High Risk)Assets can be stolen/lost/compromised directly🤖_19_groupAI based duplicate group recommendationbugSomething isn't workingduplicate-32satisfactorysatisfies C4 submission criteria; eligible for awardsupgraded by judgeOriginal issue severity upgraded from QA/Gas by judge

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions