Sandclock contest - ye0lde's results

Handle

ye0lde

Vulnerability details

Impact

Since the code does not use a minimum return value for swaps it is susceptible to sandwich attacks. More information here: https://cmichel.io/de-fi-sandwich-attacks/

Proof of Concept

Here the code Calls Curve to convert the existing underlying balance into UST: https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/strategy/NonUSTStrategy.sol#L71-L85

    /**
     * Calls Curve to convert the existing underlying balance into UST
     */
    function _swapUnderlyingToUst() internal {
        uint256 underlyingBalance = _getUnderlyingBalance();
        if (underlyingBalance > 0) {
            // slither-disable-next-line unused-return
            curvePool.exchange_underlying(
                underlyingI,
                ustI,
                underlyingBalance,
                0
            );
        }
    }

It does not specify the minimum amount of UST to receive at line 82.

A similar problem occurs here: https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/strategy/NonUSTStrategy.sol#L94

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Add minimum return amount checks.