No Slippage Protection In Withdrawals
Summary
The withdraw() function lacks slippage protection, which means user might receive less than expected due to price fluctuations on inefficient liquidity rebalancing. This is especially critical if _rebalanceLiquidity() interacts with external protocols
Vulnerability Details
Without slippage protection, a user withdrawing 100,000tokens might receive significantly less than expected
A malicious bot could manipulate and front-run them by manipulating external liquidity, causing users to receive a worse rate than expected.
Large withdrawals causing market impact
Impact
User losses due to slippage
MEV bots exploiting withdrawals (front-running)
Tools Used
Manila Review
Recommendations
Add a minimum Expected amount check before completing a withdrawal, enforce a minimum amount the user must receive. This prevents withdrawals from executing if slippage exceeds an acceptable level.
Lead Judging Commences
LendingPool deposit/withdraw functions lack slippage protection
LendingPool deposit/withdraw functions lack slippage protection
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.