Fees Contract is vulnerable to sandwich attacks
Summary
Fees contract is executing swaps on UniswapV3 without any slippage protection, which makes it vulnerable to sandwich attacks.
Vulnerability Details
The Fees contract is supoosed to receive the fees and swap it to WETH. It uses UniswapV3 for that. However the slippage protection minAmountOut is set to 0, which basically disables the protection. This makes the contract vulnerable to a sandwich attack.
Assuming the contract wants to swap WBTC for WETH. An attacker monitoring the mempool can do the folliwing.
As soon as a transaction for the swap appears in the mempool, the attacker creates 2 transactions: One to buy a huge amount of WETH in that pool. and another one to sell it back. THe attacker ensures the first of these transactions gets executed before the swap of the Fees contract and the second one afterwards.
This results in the following chain of transactions executed:
Attacker sells WBTC for WETH in WBTC/WETH pool. (This increases the price for WETH)
Fees contract swaps WBTC for WETH (Note: The increased price is paid)
Attacker swaps back to WBTC (Making a profit because of the too high price the Fees contract paid)
Impact
Attacker can make profit out of Fees contract by sandwiching a swap.
Tools Used
Manual Review
Recommendations
calculate and set amountOutMinimum for slippage protection.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.