Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No slippage check in `sellProfits`, it could be exploited by a MEV bot

pyro

Summary

The code sets amountOutMinimum to 0 in ExactInputSingleParams, potentially enabling exploitation by MEVs.

Vulnerability Details

From code below, the variable amountOutMinimum is assigned a value of 0. In the context of ExactInputSingleParams, it is understood that amountOutMinimum represents the minimum expected output. If the actual output falls below this specified minimum, the UNI contract will revert the transaction. However, setting amountOutMinimum to 0 can potentially lead to exploitation, as it allows for significant slippage in the token's value before executing the transaction. Consequently, transactions like these become attractive targets for MEVs.

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});

Impact

TX could be gamed for max slippage extraction.

Tools Used

Manual Review

Recommendations

- function sellProfits(address _profits) public {
+ function sellProfits(address _profits,uint minOut) public {
...
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
- amountOutMinimum: 0,
+ amountOutMinimum: minOut,
sqrtPriceLimitX96: 0
});
...

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.