Submission Details
Severity:
Fee contract executes swap without slippage protection.
Summary - Vulnerability Details
In the Fee contract's sellProfits function, we are performing a swap of loan tokens to collateral tokens but we have set the amountOutMinimum equal to 0, which means we accept the minimum tokens came out from this swap are 0.
This is a huge vulnerabilty!
An attacker bot can listen for the swap transaction and can perform sandwich attacks (frontrunning) using flash loans.
Impact
That will cause a loss of funds for swappers
Code Snippet
/// @notice swap loan tokens for collateral tokens from liquidations
/// @param _profits the token to swap for WETH
function sellProfits(address _profits) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
// * @audit high - lack of slippage protection
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}
Tools Used
Manual Review
Recommendations
Should check the prize before the swap and pass the minimum expected tokens based on it in the sellProfits function.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628 USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.