Inappropriate slippage parameter settings. #304
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-805
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L62
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L72
Vulnerability details
Impact
Using inappropriate slippage parameters when calculating zapAmount.
The provided minAmountOut is set to 0.
the slippage control the user can receive the least optimal amount of the token they want to trade.
Users may incur losses of assets when adding liquidity.
And the deadline is set to block.timestamp.
code-423n4/2022-11-paraspace-findings#429 as a validator can hold the transaction and the block it is eventually put into will be block.timestamp, so this offers no protection.
This could result in users executing transactions at unfavorable prices.
Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L62
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L72
Tools Used
Recommended Mitigation Steps
Implement proper slippage control.
Assessed type
MEV
The text was updated successfully, but these errors were encountered: