Vast Blood Dragon - `_addLiquidity` Has An Invalid Slippage Check Causing Loss Of User Funds

Vast Blood Dragon - _addLiquidity has an invalid slippage check causing loss of user funds

Introduction

In the world of decentralized finance (DeFi), liquidity provision is a crucial aspect of maintaining a healthy and stable ecosystem. However, with the increasing complexity of smart contracts and the dynamic nature of liquidity pools, vulnerabilities can arise that put user funds at risk. In this article, we will delve into the Vast Blood Dragon contract, specifically the _addLiquidity function, and explore how an invalid slippage check can lead to the loss of user funds.

The Issue

The _addLiquidity function in the SymmVesting contract utilizes the getLiquidityQuote() function to pre-calculate the USDC amount (usdcIn) required for liquidity addition. However, this pre-calculated value is not verified against the actual USDC amount (amountsIn[1]) returned by the router. This discrepancy can lead to a situation where the slippage check fails to catch the difference between the pre-calculated and actual amounts, potentially allowing the transaction to succeed with more USDC spent than intended.

(uint256 usdcIn, uint256 expectedLpAmount) = getLiquidityQuote(symmIn)

Root Cause

The root cause of this issue lies in the code's reliance on the outdated, pre-calculated usdcIn value instead of verifying the actual USDC amount (amountsIn[1]) returned by the router. As a result, any differences between the pre-calculated and actual amounts due to dynamic pool changes can bypass the intended slippage protection.

//Line 175
if (maxUsdcIn > 0 && usdcIn > maxUsdcIn) revert MaxUsdcExceeded()

Internal Pre-conditions

In this case, there are no internal pre-conditions that need to be met before the issue can occur.

External Pre-conditions

For the issue to occur, the following external pre-conditions must be met:

1. Outdated liquidity quote: The function getLiquidityQuote() is used to pre-calculate the USDC amount (usdcIn) based on the current pool balances. This value is then used in the slippage check before the actual liquidity addition.
2. The liquidity pool's state (its token balances) must change between the time the pre-calculated usdcIn is determined and when the router actually processes the liquidity addition. This change can lead to the actual USDC required (amountsIn[1]) being higher than the pre-calculated value.

Attack Path

Unfortunately, there is no attack path provided for this issue.

Impact

The impact of this issue is that users may end up spending more USDC than they intended, potentially leading to financial losses.

PoC

Unfortunately, there is no proof of concept (PoC) provided for this issue.

Mitigation

To address the slippage protection issue, the contract should enforce the maxUsdcIn limit using the actual USDC amount consumed (amountsIn[1]) rather than the pre-calculated usdcIn. This can be achieved by modifying the code as follows:

if (maxUsdcIn > 0 && amountsIn[1] > maxUsdcIn) revert MaxUsdcExceeded();

By making this change, the contract can ensure that the slippage check is performed using the actual USDC amount, thereby preventing the loss of user funds.

Conclusion

In conclusion, the Vast Blood Dragon contract's _addLiquidity function has an invalid slippage check that can lead to the loss of user funds. By understanding the root cause of this issue and implementing the necessary mitigation, developers can ensure that their contracts are secure and reliable. As the DeFi ecosystem continues to evolve, it is essential to prioritize security and transparency to maintain the trust of users and investors.
Vast Blood Dragon - _addLiquidity has an invalid slippage check causing loss of user funds

Q&A

In this article, we will address some of the most frequently asked questions related to the Vast Blood Dragon contract's _addLiquidity function and the invalid slippage check.

Q: What is the purpose of the _addLiquidity function in the Vast Blood Dragon contract?

A: The _addLiquidity function is used to add liquidity to a liquidity pool. It allows users to provide liquidity to the pool in exchange for a share of the pool's tokens.

Q: What is the issue with the slippage check in the _addLiquidity function?

A: The slippage check in the _addLiquidity function is based on a pre-calculated USDC amount (usdcIn) obtained from the getLiquidityQuote() function. However, this pre-calculated value is not verified against the actual USDC amount (amountsIn[1]) returned by the router. This discrepancy can lead to a situation where the slippage check fails to catch the difference between the pre-calculated and actual amounts, potentially allowing the transaction to succeed with more USDC spent than intended.

Q: What are the pre-conditions for the issue to occur?

A: For the issue to occur, the following pre-conditions must be met:

1. Outdated liquidity quote: The function getLiquidityQuote() is used to pre-calculate the USDC amount (usdcIn) based on the current pool balances. This value is then used in the slippage check before the actual liquidity addition.
2. The liquidity pool's state (its token balances) must change between the time the pre-calculated usdcIn is determined and when the router actually processes the liquidity addition. This change can lead to the actual USDC required (amountsIn[1]) being higher than the pre-calculated value.

Q: What is the impact of the issue?

A: The impact of the issue is that users may end up spending more USDC than they intended, potentially leading to financial losses.

Q: How can the issue be mitigated?

A: To address the slippage protection issue, the contract should enforce the maxUsdcIn limit using the actual USDC amount consumed (amountsIn[1]) rather than the pre-calculated usdcIn. This can be achieved by modifying the code as follows:

if (maxUsdcIn > 0 && amountsIn[1] > maxUsdcIn) revert MaxUsdcExceeded();

Q: What is the recommended course of action for developers?

A: Developers should ensure that their contracts are secure and reliable by implementing robust slippage checks and verifying the actual amounts used in transactions. Additionally, they should regularly review and update their code to prevent similar issues from arising.

Q: What is the recommended course of action for users?

A: Users should exercise caution when interacting with contracts that have been identified as having security vulnerabilities. They should carefully review the contract's code and ensure that they understand the risks involved before proceeding with transactions.

Conclusion

In conclusion, the Vast Blood Dragon contract's _addLiquidity function has an invalid slippage check that can lead to the loss of user funds. By understanding the root cause of this issue and implementing the necessary mitigation, developers can ensure that their contracts are secure and reliable. As the DeFi ecosystem continues to evolve, it is essential to prioritize security and transparency to maintain the trust of users and investors.