A slippage of 0 allows anyone to steal the fee contract funds
Summary
In the Fee contract, the funds in the contract will be swapped to WETH, and then will be deposited in the Staking contract as incentives.
But since the slippage is 0 during the swap, anyone can steal all the funds through a sandwich or JIT attack, and no WETH will be credited as a reward to the staking contract.
Vulnerability Details
Anyone can call sellProfits so they don't need to listen to the mempool but trigger it themselves
The malicious users push the tick in the uniswap3 pool to a high level, and then swap through a sandwich or JIT, the minimum WETH received can be 0, and then restore the tick in the pool to the market price, the attacker can steal almost all the tokens of the swap.
Impact
A malicious user can steal all the tokens in the Fee contract, the staking contract will not be incentivized, and no users will want to staking.
Tools Used
Manual review
Recommendations
Fix a percentage slippage or set the owner to manage the slippage.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.