There are no slippage nor deadline use in `sellProfits` which can make the protocol lose funds
Summary
The Fees.sol uses UniswapV3 router to swap the profits earned into WETH and then it transfers the WETH to the Staking contract, but it doesn't use any protection in the swap, which can ultimately lead to sandwich attacks and lose of funds to the protocol.
Vulnerability Details
The function sellProfits is using UniswapV3 router contract to swap any assets it holds from profits of the protocol to WETH, but as you can see in the params used, it doesn't use any slippage protection https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Fees.sol#L38 since the amountOutMinimum is set to 0 and it doesn't use deadline either https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Fees.sol#L36 since the parameter is set to block.timestamp. This could lead to huge loss in swapping, because the trade can be very susceptible to sandwich attacks, which could lead to loss of funds for the protocol.
Impact
The impact is a high one since it leads to loss of funds
Tools Used
Manual review
Recommendations
Consider implementing slippage protection and also use the deadline parameter so the swap will be in favor of the protocol and it will be protected
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.