Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Selling fee tokens for WETH is susceptible to slippage

bernd

Summary

Selling received fee tokens (_profits) for WETH is susceptible to slippage due to using amountOutMinimum = 0 in the exactInputSingle function of Uniswap V3.

Vulnerability Details

Received fee tokens are swapped for WETH using the sellProfits function. The parameter amountOutMinimum for Uniswap V3's exactInputSingle function is used to specify the minimum amount of tokens the caller wants to be returned from a swap. Using amountOutMinimum = 0 means that the caller accepts a minimum amount of 0 output tokens from the swap, leading to receiving less WETH than anticipated due to being vulnerable to MEV bot sandwich attacks.

Fees.sol#L38

26: function sellProfits(address _profits) public {
27: require(_profits != WETH, "not allowed");
28: uint256 amount = IERC20(_profits).balanceOf(address(this));
29:
30: ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
31: .ExactInputSingleParams({
32: tokenIn: _profits,
33: tokenOut: WETH,
34: fee: 3000,
35: recipient: address(this),
36: deadline: block.timestamp,
37: amountIn: amount,
38: @> amountOutMinimum: 0,
39: sqrtPriceLimitX96: 0
40: });
41:
42: amount = swapRouter.exactInputSingle(params);
43: IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
44: }

Impact

Due to a lack of slippage protection, all fee token swaps are open to sandwich attacks and will lead to loss of funds.

Tools Used

Manual Review

Recommendations

Use the parameter amountOutMinimum correctly to avoid loss of funds. amountOutMinimum can be calculated based on a reasonable slippage threshold value (e.g., 5%).

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.