Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No Slippage Protection while Swapping tokens through uniswap router

CircleLooper

Summary

No Slippage Protection while Swapping tokens through uniswap router.

Vulnerability Details

In Fees contract, sellProfits method uses Uniswap Router which uses ExactInputSingleParams method call to swap loan tokens for collateral tokens. But the value of amountOutMinimum is set to be zero which allows 100% Value Slippage.

function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

As there is no slippage control while swapping swap loan tokens for collateral tokens which means that a malicious actor could, e.g., trivially insert transactions before and after the naive transaction (using the infamous "sandwich" attack), causing the smart contract to trade at a radically worse price, profit from this at the caller's expense, and then return the contracts to their original state, all at a low cost.

Impact

Loss of Funds.

Tools Used

Manual Review

Recommendations

Please consider to use a require check at the end of swap to make sure that slippage is not higher than caller allowed slippage.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.