`Fees::sellProfits` does not allow user to supply deadline, which may cause further user financial loss
Summary
By using Fees::sellProfits, any amount of fees that are accumulated up to that point in it will be swapped for WETH and sent to the staking contract.
The function does not allow users to supply their own deadline as the deadline parameter when calling UniswapV3 swap. Is simply passed in as current block.timestamp in which transaction occurs. This effectively means that transaction has no deadline, which means that swap transaction may be included anytime by validators and remain pending in mempool, potentially exposing users to sandwich attacks by attackers or MEV bots or leading to token loss due to lower prices .
Vulnerability Details
Swapping is done using Uniswap V3 router (ISwapRouter) with the following swap arguments:
Leaving deadline as block.timestamp .
Consider the following scenario:
alicewants to transfer any protocol fee revenue to the staking contract, she initiates a selltransaction is submitted to the mempool, however,
alicechose a transaction fee that is too low for validators to be interested in including her transaction in a block.transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer
when the average gas fee dropped far enough for
alice's transaction to become interesting again for miners to include it, her swap will be executed. In the meantime, the price of fee reward token could have drastically decreased. She has unknowingly performed a bad trade due to the pending transaction she forgot about.
Impact
Protocol fee rewards will be lost due to sandwich attacks.
Tools Used
Manual review and usage of other similar findings.
Recommend Mitigation
Allow users to supply their own deadline parameter.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.