Platform: Code4rena
Start Date: 15/07/2021
Pot Size: $80,000 USDC
Total HM: 28
Participants: 18
Period: 7 days
Judge: ghoulsol
Total Solo HM: 18
Id: 20
League: ETH
Rank: 7/18
Findings: 2
Award: $1,773.90
🌟 Selected for report: 1
🚀 Solo Findings: 0
1773.9026 USDC - $1,773.90
tensors
There are no minimum amounts out, or checks that frontrunning/slippage is sufficiently mitigated. This means that anyone with enough capital can force arbitrarily large slippage by sandwiching transactions, close to 100%.
Add a minimum amount out parameter. The function reverts if the minimum amount isn't obtained.
#0 - verifyfirst
2021-07-22T01:03:11Z
We acknowledge the issue for the protocol's AMM, but if this becomes a large issue in the future, the router is easily upgradeable to include a minimum rate parameter.
#1 - SamusElderg
2021-07-30T05:27:28Z
Have changed this to confirmed; even though we already were aware of it; we have discussed and are happy to add in a UI-handed arg for minAmount now rather than reactively in the future. Disagree with severity though; this wasn't a problem with V1 at all.
#2 - ghoul-sol
2021-08-08T22:17:50Z
I'll keep high risk as sandwich attacks are very common and risk of getting a bad swap is real.