Description
Bug Description
The harvester's harvest() function exchanges reward tokens to USDC. There is a bug in the following lines:
if (cvxBalance > 0) {
uint256 expectedOut = (_getPriceForAmount(crvEthPrice, cvxBalance));
cvxeth.exchange(
1,
0,
cvxBalance,
_getMinReceived(expectedOut),
false
);
}
The crvEthPrice oracle is used instead of cvxEthPrice oracle (typo). Therefore, the exchange will not revert even if slippage is wildly over the allowed slippage. Currently crvPrice / cvxPrice = 20%, therefore the exchange can lose 80% of value on top of the set slippage.
Impact
Protocol can lose far more of the rewards earned than planned from Convex staking.
Risk Breakdown
Weakness: Oracle confusion
Recommendation
Fix the typo: uint256 expectedOut = (_getPriceForAmount(cvxEthPrice, cvxBalance));
Proof of Concept
claimRewards() is called on Convex executor, sends 100 CVX reward tokens to harvester
harvester calculates slippage: crvPrice * 100 * 0.9 (set slippage) = 108
harvester correct calculation: cvxPrice * 100 * 0.9 = 528$
actual slippage was (587 - 108) / 587 = 81.6%
Immunefi has closed the report due to impact being out of scope. Brahma.Fi fixed the oracle issue a couple of days after submission, without re-opening the report.
Comments