Submission Details
Severity:
Possible override of state variable
## Summary
Possible override of state variable `slippageToleranceBps` by external contract in `BaseAdapter`.
## Vulnerability Details
The initialize function `BaseAdapter::__BaseAdapter_init` initializes the owner through `__Ownable_init(owner)` and set
`slippageToleranceBps` through the function `setSlippageTolerance(_slippageToleranceBps)` with `100` being the minimum
slippage tolerance.
However, `CurveAdapter::initialize`, `UniswapV2Adapter::initialize` and `UniswapV3Adapter::initialize` calls
`BaseAdapter::__BaseAdapter_init` to initialize the owner and set the `slippageToleranceBps` which is stored in `BaseAdapter`
For example, if `BaseAdapter::__BaseAdapter_init` is called to initialize the `owner` and set the `slippageToleranceBps` as
`100` the state variable `slippageToleranceBps` will be `100`.
Then, if `CurveAdapter::initialize` calls `BaseAdapter::__BaseAdapter_init` to initialize the owner and set the
`slippageToleranceBps` with `owner` as `address(1)` and `_slippageToleranceBps` as `500`. The state variable
`slippageToleranceBps` in `BaseAdapter` will be `500` instead of `100`.
## Impact
This will affect/alter the expected amount in `BaseAdapter::calculateAmountOutMin` causing a decrease in expected
`amountOutMin`.
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821
USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.