Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Use of a fixed Uniswap V3 pool for all swaps can result in paying excess fees, slippage, or loss of tokens

toshii

Summary

The Fees contract enforces using Uniswap V3 pools which have a 0.3% fee. This is suboptimal behavior which can result in stakers, who are ultimately getting paid out these rewards, receiving less rewards than they should. For example the USDC/ETH 0.05% fee pool has 270M in liquidity, while the USDC/ETH 0.3% fee pool has only 95M in liquidity (at time of writing). This means you are paying higher fees & will encounter more slippage by using the 0.3% fee pool.

Vulnerability Details

The sellProfits function is defined as follows:

function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

The fee is fixed to 3000, meaning in many cases the suboptimal Uniswap V3 pool is being used to perform the swap.

Impact

The use of a potentially suboptimal Uniswap V3 pool for swaps will ultimately mean that stakers will receive less rewards.

Tools Used

Manual review

Recommendations

The fee value specifying the pool for swapping should either be an input to the sellProfits function, or should be set by an admin for specific pools, to ensure the optimal pool is being used.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.