User can drain [Fees](https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol) due to them using the UNI swap router
Summary
This is not about slippage or MEV, but more on tokens and their pools. Because unknown number of tokens are gonna pass-through Fees, some of them, small or big might not have the correct pool created. Thus users will be able to make the uni pools on their own terms and trade on them.
Vulnerability Details
Because there is no restriction on which tokens can be used with Lender there is no restriction which tokens pass through Fees, as some tokens might not have the 0.3% fee poll that Fees is requesting. For the tokens that don't have 0.3% fee pools, users will be able to in one transaction, make the pool and trade on it. Unfortunately owner of the pool, in it's creation, decides the ratios of token0 to token1, the creator of the pool can put tokenA (10 000 USD) to weth (2000 USD) for 1 : 1 ratio, thus trading 1 weth for 1 of tokenA, although tokenA is 5x more expensive.
Example:
| Preconditions |
|---|
| StakeWise SWISE does not have a pool with 0.3% fee |
| Fees has 500 000 SWISE |
| SWISE price - 0.09 USD |
| WETH price - 1875 USD |
| WETH : SWISE is 1 : 20833 |
Attacker makes a UNIv3 pool with SWICE : WETH with ratio 208 000 SWISE and 1 WETH (10x the CEX price). Then he makes the trade to this pool and withdraws all of it's liquidity. This way the attacker bough SWISE for 10x cheaper. And since everything could be packed in one TX he would be able to flash loan all of it.
Impact
User would be able to steal small cap or new tokens out of fees.
Tools Used
Manual review
Recommendations
To give advice for such a thing is complicated, because I am not sure how the founders want everything to work. My suggestion is to use a whitelist for the allowed tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.