Beedle - Oracle free perpetual lending

Summary

This report highlights a potential vulnerability observed in the contract Fees.sol, specifically within the function sellProfits. The vulnerability pertains to the parameter amountOutMinimum, which is set to zero within the context of the Uniswap Router's function exactInputSingle.

Vulnerability Details

The contract Fees.sol includes a function called sellProfits, which facilitates the exchange of loan tokens for collateral tokens using the UniswapV3 Router. The exchange is executed through the invocation of the exactInputSingle function. The sellProfits function initializes a structure called ExactInputSingleParams, wherein the parameters to be provided to exactInputSingle are defined. Specifically, the parameter amountOutMinimum is set to zero in this structure:

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({
        tokenIn: _profits,
        tokenOut: WETH,
        fee: 3000,
        recipient: address(this),
        deadline: block.timestamp,
        amountIn: amount,
        amountOutMinimum: 0, //@audit can be front-run
        sqrtPriceLimitX96: 0
    });

The amountOutMinimum parameter signifies the minimum token amount to be received from the swap. As explained in the Uniswap documentation, this parameter serves as a safeguard against unfavorable trade prices resulting from front-running or other forms of price manipulation.

Impact

The existing configuration of the contract introduces a potential risk of financial losses with each swap execution, attributable to the susceptibility to front-running sandwich attacks.

Tools Used

Manual Review

Recommendations

To mitigate the vulnerability and safeguard against potential front-running risks, it is recommended to implement a mechanism for dynamically calculating the minimum amount of tokens to be received, accounting for slippage. Subsequently, the value of amountOutMinimum should be adjusted based on this calculation.