Fees.sol: sellProfits Can Be self-sandwiched to Steal some of the Fees.
Summary
The sellProfits function in the Fees.sol contract has no slippage control mechanism due to the amountOutMinimum is 0 in the exactInputSingleParams. Furthermore, sellProfits can be called by anyone, malicious user can execute a self-sandwich attack for personal gains. A slippage protection mechanism should be implemented to prevent potential exploitation.
Vulnerability Details
sellProfits function in the Fees.sol contract is for swapping the fee tokens collected through Lending into WETH, which is then transferred to the Staking contract. However, the amountOutMinimum parameter within the exactInputSingleParams function is set to zero, which effectively means that there is no protection against slippage in the swapping process.
Furthermore, the sellProfits function can be called by anyone, making the system susceptible to exploitation by malicious actors through a self-sandwich attack.
Scenario:
Fees contract has 1000 USDC.
UserA swap 1000 USDC for 0.5 ETH
UserA execute sellProfits (swap 1000 USDC for 0.4 ETH)
UserA swap 0.5 ETH for 1250 USDC.
UserA get 250 USDC
Impact
Fees that should be distributed to Stakers can be partially stolen by malicious users.
Tools Used
VS Code
Recommendations
It is recommended that should calculate the exchange rate of the current pool and set the appropriate amountOutMinimum.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.