Lack of slippage protection when using ISwapRouter
Summary
When using ISwapRouter from UniswapV3, _staking will accept the swap even when the amount returned is 0, because it is hardcoded in the ExactInputSingleParams.
Vulnerability Details
In Uniswap’s documentation, there an article on how to execute swap transaction and especially what value to set the vulnerable amountOutMin param:
• amountOutMinimum: we are setting to zero, but this is a significant risk in production. As a result this can lead to loss of staking funds due to sandwich attacks.
Impact
Let’s suppose that address _staking wants to trade any ERC20 token to WETH. He executes the transaction and it goes to the mempool. A bot sniffs out the transaction and Front-Runs the _staking by purchasing WETH before the large trade is approved. This purchase raises the price of asset-WETH for the _staking trader and increases the slippage (Expected price increase or decrease in price based on the volume to be traded and the available liquidity).
Tools Used
Manual
Recommendations
As supposed in the Uniswap docs _amountOunMin param's value should be calculated using their SDK or an on-chain price oracle - this helps protect against getting an unusually bad price for a trade due to a front-running sandwich or another type of price manipulation.
Guide:
https://docs.uniswap.org/contracts/v3/guides/swaps/single-swaps
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.