Lack of slippage protection in `swap()` in some cases, can be frontran
Summary
Lack of slippage protection in swap() in some cases, can be frontran
Vulnerability details
The SmartVaultV3::swap() function uses SmartVaultV3::calculateMinimumAmountOut() to calculate the minimum output amount of the swap.
calculateMinimumAmountOut():
As seen in the above code, if Collateral Value - Swap Value >= minimumCollateralNeeded, calculateMinimumAmountOut() returns 0.
This means that if a user is sufficently over-colallateralised and they attempt a swap, there will be no slippage protection for that swap.
Impact
A malicious actor can exploit this by a classic sandwich attack. They start by front-running this transaction with their own swap (with large volume), increasing the price of the output token in the uniswap pool. Then once the user's swap occurs at a higher price than expected, the malicious actor can back-run that transaction and sell their purchased tokens at a higher price than they bought it, gaining a profit at the cost of the user who was not slippage protected.
Recommended Mitigation
Allow the user to set a minimumAmountOut, as a parameter when calling swap().
Lead Judging Commences
Slippage-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.