Assessment reportsPublic findings
Back to Zellic site
Assessment reports>WOOFI Stake>Discussion>Slippage check not performed during compoundReward function
GeneralOverview
Findings
Critical (1)
Medium (2)
Low (1)
DiscussionInstant withdraw cap can be bypassedSimilarities to ERC-4626 first-deposit issueSlippage check not performed during compoundReward function
Threat ModelWhat are threat models?BaseStrategy.solStrategyAave.solVaultV2.solWooLendingManager.solWooStakingCompounder.solWooStakingController.solWooStakingLocal.solWooStakingManager.solWooStakingProxy.solWooSuperChargerVaultV2.solWooWithdrawManagerV2.sol
Audit ResultsAssessment Results

Slippage check not performed during compoundReward function

The compoundRewards function from RewardCampaignManager does not perform slippage checks when swapping the reward token for WOO tokens. Slippage checks are an important part of ensuring that the swap occurs on favorable terms. Without slippage checks, the contract is exposed to wild price fluctuations that could result in a significant loss of funds, depending on the traded amounts.

function compoundRewards(address _user) public onlyAdmin {
    // ...
    // ...
    wooAmount += wooPP.swap(
        _rewarder.rewardToken(), // fromToken 
        woo, // toToken
        rewardAmount, // fromAmount
        0, // minToAmount
        // @audit-issue no slippage checks.
        selfAddr, // to
        selfAddr // rebateTo
    );
    // ...
}

We recommend adding slippage checks to the compoundRewards function to ensure that the swap occurs on favorable terms.

Zellic © 2024Back to top ↑