Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0x6a70 - Hardcoded amountAMin and amountBMin in __liquidateUnchecked function will lead to loss of funds. #77

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

0x6a70 - Hardcoded amountAMin and amountBMin in __liquidateUnchecked function will lead to loss of funds. #77

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

0x6a70

High

Hardcoded amountAMin and amountBMin in __liquidateUnchecked function will lead to loss of funds.

Summary

The values for amountAMin and amountBMin in __liquidateUnchecked are set to 0 , this will lead to loss of funds for users.

Vulnerability Detail

When a user redeems LV with the redeemEarlyLv or redeemExpiredLv functions which both use __liquidateUnchecked function which calls ammRouter.removeLiquidity , both of the amountAMin and amountBMin are hardcoded to 0. The protocol states that :"amountAMin & amountBMin = 0 for 100% tolerence", but the problem is that calling the function with a lack of slippage protection may cause user to receive unexpected amounts of tokens. A malicious user can take advantage and front run the transaction causing severe loss for the user, which may receive much lower amount or 0 of (raReceived, ctReceived).

Impact

This issue will lead to loss of funds for users, so the impact will be high.

Code Snippet

VaultLib.sol::__liquidateUnchecked
Information on the topic and why it should not be set to 0.
RareSkills
DefiHacksLabs

Tool used

Manual Review

Recommendation

Allow user to provide amounts for amountAMin and amountBMin.

Duplicate of #66
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. labels Sep 14, 2024
@sherlock-admin3 sherlock-admin3 changed the title Clumsy Caramel Ostrich - Hardcoded amountAMin and amountBMin in __liquidateUnchecked function will lead to loss of funds. 0x6a70 - Hardcoded amountAMin and amountBMin in __liquidateUnchecked function will lead to loss of funds. Sep 25, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3