Denial Of Service due to no slippage & deadline protection
Summary
sellProfits function does not provide proper user protection, which could easily lead to Denial Of Service to users
Vulnerability Details
The first validation issue is the deadline parameter, setting it to zero could lead to the transaction sitting in the mempool and being executed at a much later time potentially resulting in a worse price for the user. In our case, the deadline parameter is set to block.timestamp. Protocols shouldn't set the deadline to block.timestamp as a validator can hold the transaction and the block it is eventually put into will be block.timestamp, so this offers no protection.
There is also a slippage parameter (amountOutMinimum): The idea of setting slippage is to protect the user from getting fewer tokens than they wanted due to high volatility and stop them from being exploited by MEV bots. Hard-codding can lead to frozen user funds during periods of high volatility. In the code snippet, it is set to zero. A function that requires zero slippage is likely to revert presenting a persistent Denial Of Service to users. Expecting zero slippage is unrealistic.
Impact
Without a proper deadline and slippage protection, there's an extremely large risk of a DoS to anyone calling sellProfits.
Tools Used
Manual Review
Recommendations
It's recommended to allow the users to set an expiration deadline and slippage parameter (amountOutMinimum) on their choice. Make sure to add adequate validation on them as well.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.