Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Deadline is set to block.timestamp in swap function.

ni8mare

Summary

In sellProfits function, the deadline is set as block.timestamp in the ExactInputSingleParams struct. This is problematic because the transaction might be left hanging in the mempool and get executed at a later time than intended.

Vulnerability Details

Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted.

That could lead to users getting a worse price because a validator can just hold onto the transaction. And when it does get around to putting the transaction in a block, it'll be block.timestamp, so they’ve got no protection there. If there's no deadline, the transaction could be held back indefinitely leading to swaps that are not optimal.

More on this - https://blog.bytes032.xyz/p/why-you-should-stop-using-block-timestamp-as-deadline-in-swaps

Impact

If there's no deadline, the transaction could be held back indefinitely leading to swaps that are not optimal.

Tools Used

Manual review

Recommendations

Allow for a deadline to be set by the user, such that after the deadline the transaction never takes place.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.