Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`Fees` contract can be sandwiched

Bobface

Summary

The Fees contract can be sandwiched to steal its funds.

Vulnerability Details

The Fees contract sells accumulated protocol fees on Uniswap V3. The swap does neither set amountOutMinimum nor sqrtPriceLimitX96, meaning it can be sandwiched to steal its funds.

// Fees @ sellProfits
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0, // <-----------
sqrtPriceLimitX96: 0 // <-----------
});

Impact

An attacker can steal the funds from the contract by sandwiching a call to sellProfits. For example, assuming the token to be sold is USDC:

  1. Sell a large amount of USDC on the USDC/WETH Uniswap V3 pool. A flashloan can be used.

  2. Call sellProfits, which causes the USDC from the contract to be sold into the manipulated pool, outputting a very minor amount of WETH.

  3. Buy USDC from the USDC/WETH Uniswap V3 pool with the funds received from step 1. This results in a profit for the attacker.

Tools Used

None

Recommendations

Use an oracle, for example Chainlink or on-chain Uniswap V3 TWAP, to calculate the expected swap output and set amountOutMinimum accordingly.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.