ManualRebalance will be frontrun for most of the tokens. #5
Labels
Comments
|
Disagree with risk (should be medium like all other harvest findings), also we have optional harvest which means we can skip it, hence the finding is deceiving at best |
|
We use private txs to mitigate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
tensors
Vulnerability details
Impact
We have previously seen that the harvest function can be exploited for almost all the tokens at stake.
Since ManualRebalance calls harvest, it is also unsafe and funds swapped using it will likely be lost.
Proof of Concept
https://github.com/code-423n4/2021-09-bvecvx/blob/1d64bd58c7a4224cc330cef283561e90ae6a3cf5/veCVX/contracts/veCVXStrategy.sol#L444-L453
Recommended Mitigation Steps
Adding an amount out minimum here will work that should be passed on to the harvest method.
The text was updated successfully, but these errors were encountered: