20,000 USDC
View results
Submission Details
Severity: high
Valid

Swap executed without slippage protection

Summary

The swap is called with amountOutMinimum: 0 and sqrtPriceLimitX96: 0, meaning that there is no slippage protection in this swap.

Vulnerability Details

With the function sellProfits() the user is able to swap their profit tokens for WETH, however, in the implementation of the swap:

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});

We can notice that the minimum expected amount that the user can have returned is zero (amountOutMinimum: 0), which is very risky.

Also, sqrtPriceLimitX96: 0 should neither be set to zero.

Impact

This could result in a significant loss of funds from these profits as MEV bots could “sandwich” this swap by manipulating the price before this transaction and immediately reversing their action after the transaction, profiting at the expense of our swap.

Having a Protocol that will not allow you to take your profits out is very unlikely to be used by users. That's why this must be corrected.

Tools Used

None

Recommendations

The slippage parameters amountOutMinimum and sqrtPriceLimitX96 need to have a proper value set. You can make use of IUniswapV3PriceOracle to forsee the value.

Platforms should also provide a sensible default if the user doesn't specify a value, but user-specified slippage parameters must always override platform defaults.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.