The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

calculateMinimumAmountOut() lacks slippage parameters

tumelo_crypto

Summary

calculateMinimumAmountOut() function allows value of 0 to be returned under certain conditions. This opens user up to high slippage and sandwich attacks.

Vulnerability Details

When calculating the minimumAmountOut from the calculateMinimumAmountOut() function, the value is finally decided like this:

SmartvaultV5.sol calculateMinimumAmountOut()
return collateralValueMinusSwapValue >= requiredCollateralValue ?
0 : calculator.eurToToken(getToken(_outTokenSymbol), requiredCollateralValue - collateralValueMinusSwapValue);

This shows that if Collateral value - Swap Value is bigger than the required Collateral Value then the value of 0 will be returned as the minimumAmountOut. This is problematic because if a swap occurs with any token that has slippage e.g. ARB, there will be zero slippage protection and as a result MEV Bots could sandwich the swap and profit at the expense of the user.

Impact

Users could lose portions or the majority value of funds used during swap.

Tools Used

Manual review.

Recommendations

Calculate the minimumAmountOut that will result even if collateralValueMinusSwapValue >= requiredCollateralValue .

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Slippage-issue

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Slippage-issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.