Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of slippage protection when withdrawing from curveVault through _withdrawFromVault()

0xdemon

Summary

Lack of slippage protection when withdrawing from curveVault through _withdrawFromVault()

Vulnerability Details

When the reserve is in a state of lack of liquidity, the _withdrawFromVault() function is called and inside it curveVault.withdraw() will be called. The implementation is as below :

function _withdrawFromVault(uint256 amount) internal {
curveVault.withdraw(amount, address(this), msg.sender, 0, new address[](0)); //@audit-issue lack of slippage when withdrawing from curveVault
totalVaultDeposits -= amount;
}

As seen in the code above, the maxLoss value is set to 0. This can cause the tokens withdrawn to be less than they should be and can also be a victim of a sandwich attack. With the amount withdrawn not being in accordance with what it should be, the next impact is that the user does not receive the assets according to what they should and also a loss for the protocol

Impact

Losses for users and protocols due to receiving less tokens than expected and not being able to cover the lack of liquidity

Tools Used

Manual Review

Recommended Mitigation

Consider set value for maxLoss

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.