Steadefi

Summary

Slippage is not functional as the user does not get to decide what expected output to measure against.

Vulnerability Details

The expected output of user depositing assets in vault is measured onchain. Being that the blockchain is time dependent and miners value incentivised, a transaction might not be included at the time the users intends it to. So the market price of an asset when transaction is sent might not be the market price of the asset when the transaction is processed, the idea of slippage protection in the blockchain when swapping/depositing an asset for another is that the gotten output does not deviate too far from the expected output. But when the user is not allowed to define the expected output and both contract gets to define both the expected output and actual output, then it makes the intention of the slippage control futile and causes the user to loose funds.

Impact

User looses funds.

Tools Used

Manual.

Recommendations

Allow user to define the expected output then measure slippage against actual output and user expected output.