`amountOutMinimum` on `swap` is too low which may lead to sandwiches
Summary
amountOutMinimum will often be set to 0 (when collateralValueMinusSwapValue >= requiredCollateralValue). Or to requiredCollateralValue - collateralValueMinusSwapValue (can be much lower than asset's market price).
Vulnerability Details
Even so sandwiches on Arbitrum are not easy, there are several points that make this issue important:
It's possible that it will be deployed on ethereum, polygon.
From discord https://discord.com/channels/1127263608246636635/1186696603730452490/1191743371379736606
hey, one more question regarding this, is the protocol going to be deployed on polygon, arbitrum and ethereum or
no plans to do so any time soon, but it is possible
From Readme:
Compatibilities:
Blockchains:
- Any EVM chains with live Chainlink data feeds and live Uniswap pools
RPCs and wallets can sell or leak transaction data before it got to the sequencer. It will lead to a possible sandwich when the attacker has the transaction and send it between theres (Arbitrum's sequencer is FIFO)
Sudden price change can lead to an unexpectedly low amount returned
Change in a pool liquidity or insufficient pool's liquidity will lead to a high slippage
Impact
User may loose up to all their funds that they tried to swap
Tools Used
Manual review
Recommended Mitigation Steps
Allow user to send amountOutMinimum, check that user provided value is >= than currently calculated amountOutMinimum
Lead Judging Commences
Slippage-issue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.