Platform: Code4rena
Start Date: 05/05/2022
Pot Size: $125,000 DAI
Total HM: 17
Participants: 62
Period: 14 days
Judge: leastwood
Total Solo HM: 15
Id: 120
League: ETH
Rank: 8/62
Findings: 1
Award: $6,389.44
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: 0x52
6389.4401 DAI - $6,389.44
Loss of funds in TransmuterBuffer
If the buffer is called during and unfavorable time then a large portion of deposited funds may be lost due to slippage because deposit is called with 0 as the minimum out allowing any level of slippage
Implement a slippage calculation similar to _alchemistWithdraw to protect against it
#0 - 0xfoobar
2022-05-22T21:26:34Z
Sponsor acknowledged
This function is only called by keeper bots harvesting yields, which should not be subject to large slippage and could be sent through a private mempool if necessary. However, we acknowledge that a configurable parameter could enable greater protection, even if in practice the issue does not occur.
#1 - 0xleastwood
2022-06-03T16:59:51Z
Because this requires the keeper role to sandwich attack the protocol when yield is harvested, this better fits the criteria of a medium severity issue.