top of page

MED - Brahma.Fi - Wrong oracle used to calculate min slippage may cause loss of over 80% of rewards


Bug Description

The harvester's harvest() function exchanges reward tokens to USDC. There is a bug in the following lines:

if (cvxBalance > 0) {

uint256 expectedOut = (_getPriceForAmount(crvEthPrice, cvxBalance));








The crvEthPrice oracle is used instead of cvxEthPrice oracle (typo). Therefore, the exchange will not revert even if slippage is wildly over the allowed slippage. Currently crvPrice / cvxPrice = 20%, therefore the exchange can lose 80% of value on top of the set slippage.


Protocol can lose far more of the rewards earned than planned from Convex staking.

Risk Breakdown

Weakness: Oracle confusion


Fix the typo: uint256 expectedOut = (_getPriceForAmount(cvxEthPrice, cvxBalance));

Proof of Concept

  1. claimRewards() is called on Convex executor, sends 100 CVX reward tokens to harvester

  2. harvester calculates slippage: crvPrice * 100 * 0.9 (set slippage) = 108

  3. harvester correct calculation: cvxPrice * 100 * 0.9 = 528$

  4. actual slippage was (587 - 108) / 587 = 81.6%


Immunefi has closed the report due to impact being out of scope. Brahma.Fi fixed the oracle issue a couple of days after submission, without re-opening the report.

Recent Posts

See All
bottom of page