20,000 USDC
View results
Submission Details
Severity: high
Valid

Slippage parameter in sellProfits() set to zero

Summary

In fees.sol under the function sellProfits() a swap is done converting tokens to WETH. but the issue here results in the fact that slippage is set to zero

Vulnerability Details

Defi platforms must allow a user set a slippage parameter or a default slippage should be set to prevent loss of funds. It can be seen in the snippet below that slippage is set to zero.

function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}
}

This means that the user can accept a zero amount of tokens as output.

Impact

This opens the protocol to catastrophic loss of funds via MEV bot sandwich attacks.

Tools Used

Manual Review

Recommendations

A default or caller-specified slippage should be set.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.