Submission Details
Severity:
Slippage parameter in sellProfits() set to zero
Summary
In fees.sol under the function sellProfits() a swap is done converting tokens to WETH. but the issue here results in the fact that slippage is set to zero
Vulnerability Details
Defi platforms must allow a user set a slippage parameter or a default slippage should be set to prevent loss of funds. It can be seen in the snippet below that slippage is set to zero.
function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}
}
This means that the user can accept a zero amount of tokens as output.
Impact
This opens the protocol to catastrophic loss of funds via MEV bot sandwich attacks.
Tools Used
Manual Review
Recommendations
A default or caller-specified slippage should be set.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628 USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.