Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

LendingPool deposit/withdraw lack of slippage protection

0xalexsr

Summary

Users can deposit and withdraw assets in the LendingPool but there is no slippage protection so users could be frontrun and get a very bad exchange rate.

Vulnerability Details

/**

* @notice Allows a user to deposit reserve assets and receive RTokens

* @param amount The amount of reserve assets to deposit

// @audit Missing slipage

function deposit(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

// Update the reserve state before the deposit

ReserveLibrary.updateReserveState(reserve, rateData);

// Perform the deposit through ReserveLibrary

uint256 mintedAmount = ReserveLibrary.deposit(reserve, rateData, amount, msg.sender);

// Rebalance liquidity after deposit

_rebalanceLiquidity();

emit Deposit(msg.sender, amount, mintedAmount);

}

/**

* @notice Allows a user to withdraw reserve assets by burning RTokens

* @param amount The amount of reserve assets to withdraw

// @audit missing slipage

function withdraw(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

if (withdrawalsPaused) revert WithdrawalsArePaused();

// Update the reserve state before the withdrawal

ReserveLibrary.updateReserveState(reserve, rateData);

// Ensure sufficient liquidity is available

_ensureLiquidity(amount);

// Perform the withdrawal through ReserveLibrary

(uint256 amountWithdrawn, uint256 amountScaled, uint256 amountUnderlying) = ReserveLibrary.withdraw(

reserve, // ReserveData storage

rateData, // ReserveRateData storage

amount, // Amount to withdraw

msg.sender // Recipient

);

// Rebalance liquidity after withdrawal

_rebalanceLiquidity();

emit Withdraw(msg.sender, amountWithdrawn);

}

Those functions are responsible for depositing/withdrawing RTokens but there is no slippage protection to guarantee a minimum amount of RTokens to the users.

Impact

Users will get less RTokens than expected in case of frontrun with no limitation on slippage percentage

Recommendations

Implement minimum RTokens to be received and deadline ensuring limitation of slippage

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool deposit/withdraw functions lack slippage protection

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Validated

Assigned finding tags:

LendingPool deposit/withdraw functions lack slippage protection

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.