Beedle - Oracle free perpetual lending

Summary

The function sellProfits has no slippage control for the _profits token since amountOutMinimum is set to 0. This could lead to a malicious user executing a sandwich attack on the trade.

Vulnerability Details

The function sellProfits sells fees received from the Lender.sol contract. The fees are swapped for WETH through the Uniswap V3 Router.

The vulnerability lies in the amountOutMinimum, which is currently set to 0. This means that the token swap will accept any token slippage. A malicious user can take advantage of this fact and decide to sandwich attack this token swap.

Example:

1. A user decides to swap the _profits token to WETH

2. A malicious user sees the swap in the mempool and decides to frontrun the transaction and swap a large amount of _profits tokens for WETH, increasing the price of WETH in relation to _profits.

3. The original swap transaction now executes. Due to the change in price, the contract receives less WETH than anticipated because the amountOutMinimum parameter is set to 0, and hence any slippage is accepted.

4. The malicious user then executes a third transaction, swapping WETH back to _profits tokens. Since the price of WETH in relation to _profits is now high, the malicious user gets more _profits tokens back than they originally spent.

Impact

As a result, the malicious user has profited from the price manipulation at the expense of the contract.

Tools Used

Manual Review.

Recommendations

It is recommended not to leave amountOutMinimum at 0 and instead have it dynamically adjusted for the slippage accepted for the _profits token.