The lack of a WETH-Profits Token pair upon calling sellProfits can expose it to malicious pool creation
Summary
Some tokens do not have Uniswap V3 pools with WETH, which allows a bad actor to frontrun the transaction and create a pool with an offset liquidity ratio and subsequently steal the funds.
Vulnerability Details
When calling sellProfits the function calls exactInputSingle on the Uniswap V3 SwapRouter with a token pair of WETH and the profits token address from calldata. In the case of a token pair between the two not existing the call will revert. This absence of such a pool can be used maliciously by a bad actor to frontrun the call and create a pool with an offset price so they can extract the tokens.
Impact
The tokens will be mostly lost due to the bad exchange rate. This will occur very rarely due to most tokens already having Uniswap v3 pairs with WETH, hence the medium severity.
Tools Used
Manual Review
Recommendations
Consider using swapExactInputMultihop with a path that is first swapping the less popular token into some other token with higher liquidity like USDC. It will be better for the specific case of the contract due to the arbitrary nature of the tokens it will be working with.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.