Platform: Code4rena
Start Date: 14/10/2021
Pot Size: $50,000 USDC
Total HM: 3
Participants: 14
Period: 7 days
Judge: 0xean
Total Solo HM: 3
Id: 37
League: ETH
Rank: 6/14
Findings: 1
Award: $1,022.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
hyh
Function _exitTempusAmmAndRedeem, https://github.com/code-423n4/2021-10-tempus/blob/main/contracts/TempusController.sol#L616, runs Balancer's swap with no minimum amount, which can be subject to sandwich attack given big enough amounts to swap to cover attacker's pool manipulation costs. As the function is called by exitTempusAmmAndRedeem function (https://github.com/code-423n4/2021-10-tempus/blob/main/contracts/TempusController.sol#L240), which withdraws user funds from Tempus AMM, the amounts to be swapped is determined by user stakes principal and yield combination and are generally unbounded (i.e. it is not a function that can be called by a script frequently enough to ensure that it will never deal with substantial amounts to justify an attack). This way _exitTempusAmmAndRedeem can be called with big enough amounts and is exploitable.
Add minimum required price based on current yield.
#0 - mijovic
2021-10-21T09:25:46Z
This one is a duplicate of https://github.com/code-423n4/2021-10-tempus-findings/issues/23
In the linked issue, mitigation steps are much better and we plan to solve by exposing parameter to set minReturn instead of setting automatically.