Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Description
Brief/Intro
While depositing into the Auto Pool, we use the router implementation from Auto Finance, which calls the depositMax function.
This function accepts minSharesOut as a parameter; however, in our implementation, we pass 0 as the minSharesOut value.
This can lead to the vault receiving fewer shares than expected if the transaction gets delayed for a few blocks, as demonstrated in the PoC.
Additionally, the rebalancing and updateDebtReporting calls can further affect the outcome depending on the current state of the pool.
Vulnerability Details
This issue can occur in TokeAutoEth and TokeAutoUSDStrategy. But I will focus on TokeAutoEth in this reports. The vault will calls _allocate function with the given amount. The router::depositMax will deposit the assets in auto pool and return the shares to strategy contract.
/v3-poc/src/strategies/mainnet/TokeAutoEth.sol:5757:function_allocate(uint256amount)internaloverridereturns(uint256){58:require(TokenUtils.safeBalanceOf(address(weth),address(this))>= amount,"Strategy balance is less than amount");59: TokenUtils.safeApprove(address(weth),address(router), amount);60:uint256 shares = router.depositMax(autoEth,address(this),0);// @audit : no slippage protection here61: TokenUtils.safeApprove(address(autoEth),address(rewarder), shares);62: rewarder.stake(address(this), shares);63:return amount;64:}
The router::depositMaxfunction takes 3 paramater the pool address , the receier address and the minSharesOut.
From AutoPool Docs : Depending on the conditions of the Autopool, the overall market, and the timing of the debt reporting process slippage may be encountered on both entering and exiting the Autopool. It is very important to always check the shares received on entering, and the assets received on exiting, are greater than an expected amount. 4626-compliance#slippage.
Impact Details
Due to no slippage the vault will receive less shares than expected.
