DenTonylifer - Hardcoded slippage params

[sherlock-admin4]

DenTonylifer

Medium

Hardcoded slippage params

Summary

_unfarmBuyBurn() uses hardcoded slippage params (1) instead of user-defined, and it will lead to loss of funds for user.

Root Cause

This function defines min amounts as 1, meaning slippage protection is disabled.
https://github.com/sherlock-audit/2024-10-axion/blob/c65e662999d0c79439703fc6713814b4ad023e01/liquidity-amo/contracts/SolidlyV3AMO.sol#L328-L334

 _unfarmBuyBurn(
            liquidity,
            1, // minBoostRemove
            1, // minUsdRemove
            1, // minBoostAmountOut
            block.timestamp + 1 // deadline
        );

Then this params is passed in this functions:

ISolidlyV3Pool(pool).burnAndCollect(
                address(this),
                tickLower,
                tickUpper,
                uint128(liquidity),
                amount0Min,
                amount1Min,
                type(uint128).max,
                type(uint128).max,
                deadline
            );

(int256 amount0, int256 amount1) = ISolidlyV3Pool(pool).swap(
            address(this),
            boost > usd, 
            int256(usdRemoved),
            targetSqrtPriceX96,
            minBoostAmountOut,
            deadline
        );

Internal pre-conditions

None

External pre-conditions

None

Attack Path

None, issue may arise in natural conditions.

Impact

User will suffer loses due to disabled slippage protection.

PoC

No response

Mitigation

Allow users to define minimum amouns when they minting/burning Boost.