This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
0x52 - SdtRewardReceiver#_withdrawRewards has incorrect slippage protection and withdraws can be sandwiched #180
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x52
medium
SdtRewardReceiver#_withdrawRewards has incorrect slippage protection and withdraws can be sandwiched
Summary
The _min_dy parameter of poolCvgSDT.exchange is set via the poolCvgSDT.get_dy method. The problem with this is that get_dy is a relative output that is executed at runtime. This means that no matter the state of the pool, this slippage check will never work.
Vulnerability Detail
SdtRewardReceiver.sol#L229-L236
When swapping from SDT to cvgSDT, get_dy is used to set _min_dy inside exchange. The issue is that get_dy is the CURRENT amount that would be received when swapping as shown below:
The return value is EXACTLY the result of a regular swap, which is where the problem is. There is no way that the exchange call can ever revert. Assume the user is swapping because the current exchange ratio is 1:1.5. Now assume their withdraw is sandwich attacked. The ratio is change to 1:0.5 which is much lower than expected. When get_dy is called it will simulate the swap and return a ratio of 1:0.5. This in turn doesn't protect the user at all and their swap will execute at the poor price.
Impact
SDT rewards will be sandwiched and can lose the entire balance
Code Snippet
SdtRewardReceiver.sol#L213-L245
Tool used
Manual Review
Recommendation
Allow the user to set _min_dy directly so they can guarantee they get the amount they want
The text was updated successfully, but these errors were encountered: