Beedle - Oracle free perpetual lending

Summary

Lack of slippage protection in fees.sol swapping functionality is vulnerability to MEV sandwich attack, resulting in loss of fees for the protocol.

Vulnerability Details

Beedles collects fees in fees.sol, these fees are collected in many different ERC20 tokens, beedle then swaps these tokens for WETH using Uniswap Swapping functionality.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Fees.sol#L30-L40

As shown it uses Uniswaps exactInputSingle() function to swap these tokens. This function expects amountOutMinimum parameter to clarify minimum amount of output token (WETH here) user is willing to accept for the exact amount of token supplied.

However setting these parameter to default zero, implies that protocol does not have any minimum amount of output token set.

consider popular MEV sandwich attack wherein :

• The attacker identifies a pending transaction where a protocol wants to buy WETH using say DAI on Uniswap.

• The attacker quickly sends two transactions:

  • First, they swap a small amount of WETH for DAI, causing the WETH price to temporarily increase.

  • Next, the protocols buy order is executed at the higher price, causing them to pay more DAI for WETH

  • Then attacker sends second transaction to swap back the previously bought WETH for DAI, restoring the WETH price to its original level.

• As a result protocols receives fewer WETH than expected and pays more DAI due to the sandwich attack.

• The attacker profits from the price manipulation and the price reversion, gaining an unfair advantage at the expense of the target trader.

Impact

Significant loss of fees collected by protocol

Tools Used

Manual Review

Recommendations

Set amountOutMinimum parameter to reasonable amount to avoid the slippage.