Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`amountOutMinimum` being hardcoded to 0 makes swaps vulnerable to sandwich attacks

bauchibred

Summary

The sellProfits function lacks slippage protection, making it vulnerable to potential sandwich attacks which could lead to financial losses for swappers

Vulnerability Details

Take a look at Fees.sol#L24-L45

/// @notice swap loan tokens for collateral tokens from liquidations
/// @param _profits the token to swap for WETH
function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
//@audit
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}
}

As seen the sellProfits() function is designed to swap loan tokens for collateral tokens from liquidations. The function uses ISwapRouter's exactInputSingle method to make this swap.

However, the function does not enforce slippage protection. This is evident from the fact that amountOutMinimum is set to zero which exposes the function to sandwich attacks-> financial loss.

Impact

Significant financial losses whenever a swap gets sandwiched.

Tools Used

Manual Audit

Recommended Mitigation

Implement a mechanism to enforce slippage protection in the sellProfits function. This can be done by requesting a non-zero minimum output amount amountOutMinimum

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!