Main Honeysuckle Tarantula
Medium
The protocol added slippage protection for the buyVotes function and now the user cannot buy less than he specified.
However, the sellVotes function does not protect the user in this way. Therefore, the user can get much less eth from selling his votes than he should.
Let's consider two scenarios. The first is a normal market situation, when the user's buy order is executed at a different price than expected. The sell price falls if before that someone either sold the given vote or bought the opposite vote. During periods of strong market activity, users can lose money on slippage.
The second is the sandwich attack. Since it is Base L2 - its probability is low, but due to the discrete nature of price changes in the protocol - impact = high.
- A user places a transaction to sell TRUSTED votes.
- Malicious user realises that this transaction will lower the price of TRUSTED votes and does the following.
He sells all his TRUSTED votes before the user's transaction. He then skips the user transaction. He will already be selling at a lower price than expected. Then the malicious user buys back all his TRUSTED votes. Thus making money on the user's transaction, but harming the user.
No slippage protection for sellVotes
No response
No response
No response
The user may receive less eth than expected due to market fluctuations.
It also opens up the possibility for very profitable sandwich attacks.
No response
Add minimal fundsReceived for every sell order