Lack of Slippage Tolerance in Token Swap Operation Resulting in Potential Price Manipulation
Summary
Lack of Slippage Tolerance in Token Swap Operation Resulting in Potential Price Manipulation.
Vulnerability Details
The sellProfits function in the contract does not implement slippage tolerance during the swap operation. Without an adequate control for minimum output, the swap can be influenced by market manipulations such as flash loan attacks.
Proof of Concept
Given:
There are some
_profitstokens in the contract.
When:
An attacker takes a flash loan, creates a market swing in the
_profitstoken, and then calls thesellProfitsfunction.After the swap, contract expects a certain amount of WETH. However, due to the manipulated market conditions, the actual amount of WETH received is significantly lower.
Impact
This vulnerability could be exploited by malicious actors to manipulate token prices, resulting in swaps at unfavorable rates.
Tools Used
ChatGPT & VS Code
Recommendations
Consider adding a slippage tolerance mechanism: Add a parameter for minimum output (e.g., _minAmountOut) in the sellProfits function, which is based on a certain percentage below the current market price. This will protect against significant price changes that could happen between the time the transaction is sent and when it is executed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.