Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Hardcoded fee rate while swapping tokens through uniswap router

CircleLooper

Summary

Hardcoded fee rate while swapping tokens through uniswap router.

Vulnerability Details

In Fees contract, there is a use of Uniswap Router which uses ExactInputSingleParams method call to swap loan tokens for collateral tokens. But the value of fee is hardcoded to be 3000 which means fee rate is 0.3%.

function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

Here _profits token can be any token so the swapping would happen on different Uniswap pools, the problem is that not all the pools use fee rate of 3000, results in pool not found and transaction reverts.

Impact

Some _profits tokens cannot be swapped for WETH and those tokens are essentially locked in the Fees contract.

Tools Used

Manual Review

Recommendations

Please consider to allower caller pass fee parameter when calls the sellProfits method.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.