Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Ineffective deadline check when swap tokens

PTolev

Summary

sellProfits allows users to swap tokens but lacks the capability to specify an effective deadline check by the user.

Vulnerability Details

The sellProfits function uses Uniswap to swap tokens. Using block.timestamp as a deadline is an ineffective way to protect the user from the unexpected execution of the transaction in the future, leaving users vulnerable to the potential loss of their tokens.

This is possible because whenever the miner decides to include the transaction in a block, it will be valid at that time, since block.timestamp will be the current timestamp.

Impact

The user's transaction can be unexpectedly executed at any convenient time, which can lead to a loss of funds.

Tools Used

Manual review

Recommendations

To mitigate the risks, allow users to specify a deadline parameter.

-function sellProfits(address _profits) public {
+function sellProfits(address _profits, uint256 _deadline) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
- deadline: block.timestamp,
+ deadline: _deadline,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.