TraderJoeYieldFarmManager Manual Review Findings

TJM-01M: Inexistent Slippage Protections

Type	Severity	Location
Logical Fault		TraderJoeYieldFarmManager.sol:L301, L314-L315, L330-L331, L378-L383, L388, L409, L424, L444

Description:

The referenced integrations with JoeRouter02 of the Trader Joe protocol do not specify correct minimum values in the referenced liquidity provision, withdrawal, and general token swap operations.

Impact:

The current mechanisms of the contract render the users as well as the system itself prone to arbitrage attacks, causing them to receive less value for their interactions with the Trader Joe protocol.

Example:

Copy
299router.swapExactTokensForTokens(
300  optimalSwapAmount,
301  0,
302  swapPathForOptimalDeposit,
303  address(this),
304  block.timestamp
305);

Recommendation:

We advise correct values to be relayed from the top-level context of each code-path to the swapExactTokensForTokens / addLiquidity / removeLiquidity function call via the introduction of new variables wherever necessary (i.e. TraderJoeYieldFarmVault::compound -> TraderJoeYieldFarmManager::compound -> TraderJoeYieldFarmManager::_swapRewardWithFee & TraderJoeYieldFarmManager::_addLiquidity).

Alleviation (4325253d6de0ea91c1e9fb9e01d2e7e98f3d83a9):

This finding was addressed as part of the efforts for alleviating TJY-05M, rendering slippage checks redundant in all referenced calls given that they are evaluated at their top-level contexts.