20,000 USDC
View results
Submission Details
Severity: high
Valid

A slippage of 0 allows anyone to steal the fee contract funds

Summary

In the Fee contract, the funds in the contract will be swapped to WETH, and then will be deposited in the Staking contract as incentives.
But since the slippage is 0 during the swap, anyone can steal all the funds through a sandwich or JIT attack, and no WETH will be credited as a reward to the staking contract.

Vulnerability Details

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
  1. Anyone can call sellProfits so they don't need to listen to the mempool but trigger it themselves

  2. The malicious users push the tick in the uniswap3 pool to a high level, and then swap through a sandwich or JIT, the minimum WETH received can be 0, and then restore the tick in the pool to the market price, the attacker can steal almost all the tokens of the swap.

Impact

A malicious user can steal all the tokens in the Fee contract, the staking contract will not be incentivized, and no users will want to staking.

Tools Used

Manual review

Recommendations

Fix a percentage slippage or set the owner to manage the slippage.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.