Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Unspecified slippage allows sandwich attacks

KrisApostolov

Summary

The lack of a slippage value allows attackers to sandwich attack the transaction and extract the value.

Vulnerability Details

The swap in Fees.sol the sellProfits function executes a swap on Uniswap, but the amountOutMinimum value, which is accountable for slippage protection is at 0, which allows the swap to yield 0 tokens in return for the amount provided. This allows for MEVs to pick the transaction up from the mempool and to sandwich it by manipulating the pool, in which the swap is happening.

function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0, //@audit 0 as a slippage amount makes this swap very vulnerable to sandwich attacks
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

Impact

The amount getting swapped will be completely lost.

Tools Used

Manual Review

Recommendations

Consider setting amountOutMinimum to some appropriate value, that includes a conservative amount of tolerance for price impact.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.