Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

No Expiration Deadline is specified for the transaction of swapping

castleChain

Vulnerability Details

the protocol should specify a deadline parameter that enforces a time limit by which the transaction must be executed. Without a deadline parameter, the transaction may sit in the mempool and be executed at a much later time potentially resulting in a worse price for the user.

30 ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
31 .ExactInputSingleParams({
32 tokenIn: _profits,
33 tokenOut: WETH,
34 fee: 3000,
35 recipient: address(this),
36 -> deadline: block.timestamp,
37 amountIn: amount,
38 -> amountOutMinimum: 0,
39 sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));

Protocols shouldn't set the deadline to block.timestamp as a validator can hold the transaction and the block it is eventually put into will be block.timestamp, so this offers no protection .
and also due to the amountOutMinimun is set to zero , this provide no protection at all against the price slippage attacks .

Impact

this opening up the protocol to a huge loss of fund due to the price slippage attacks or the MEV bots attacks and this result in put the funds of the protocol or the users in danger .

Tools Used

manual review

Recommendations

the protocol Needs to use a user defined input to effectively enforce any deadline

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.