Initial Router Exchange Lacks Slippage Protection During First Deployment
Summary :
The strategy's initial router exchange during first deployment lacks comprehensive slippage protection mechanisms, making it vulnerable to MEV and sandwich attacks during this critical phase.
Vulnerability Details :
In both StrategyMainnet.sol and StrategyOp.sol, the first exchange after initialization relies solely on keeper-provided slippage parameters without additional safeguards:
While basic slippage checks exist:
These checks lack reference points during initial deployment for setting optimal bounds.
The initialization functions (_initStrategy()) only set up router addresses and approvals without implementing robust price protection mechanisms for the first exchange. The reliance on keeper-provided parameters without additional safeguards during initial deployment creates a window of vulnerability for MEV attacks.
Impact :
The lack of robust slippage protection during initial router exchange creates a critical vulnerability window where significant value can be extracted from the strategy's first deployment. MEV bots can observe the pending transaction and execute sandwich attacks by manipulating the pool price immediately before the strategy's swap, forcing unfavorable execution prices.
The impact is particularly severe because it affects the strategy's very first operation, potentially deterring early depositors and damaging the protocol's reputation from the start. The value at risk scales with the size of the initial deployment, making this especially concerning for larger capital deployments.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.