function `sellProfits()` does not allow user to supply deadline parameter
Summary
The function sellProfits() lacks a user-defined deadline parameter, leaving transactions with no deadline. This exposes users to sandwich attacks and Miner Extractable Value (MEV) risks.
Vulnerability Details
The function like sellProfits() does not allow users to supply their own deadline as the deadline parameter is simply passed in as current block.timestamp in which transaction occurs. This effectively means that transaction has no deadline, which means that swap transaction may be included anytime by validators and remain pending in mempool, potentially exposing users to sandwich attacks by attackers or MEV bots.
Impact
Consider the following scenario:
Alice calls the function sellProfits and provided address of BNB. She wanted to swap 300 BNB token for 30 WETH and later sell the 1 WETH for 3000 DAI. She signs the transaction.
The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for validators to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer.
When the average gas fee dropped far enough for Alice's transaction to become interesting again for miners to include it, her trade will be executed. In the meantime, the price of WETH could have drastically decreased. She has unknowingly performed a bad trade due to the pending transaction she forgot about.
An even worse way this issue can be maliciously exploited is through MEV:
Tools Used
Manual Review
Recommendations
Allow users to supply their own deadline parameter
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.