Beedle - Oracle free perpetual lending

Summary

The function sellProfits has no price control limit for the _profits token as the sqrtPriceLimitX96 is set to 0. This could potentially allow a malicious user to perform a sandwich attack on the trade.

Vulnerability Details

The sellProfits function in the smart contract is responsible for selling fees collected from the Lender.sol contract. These fees are swapped for WETH through the Uniswap V3 Router.

The vulnerability originates from the sqrtPriceLimitX96 parameter, which is currently set to 0. This signifies that the token swap will proceed regardless of the price of the swap. A malicious user could exploit this flaw to perform a sandwich attack on the token swap.

Example:

1. A user decides to swap the _profits token for WETH.

2. A malicious user observes the pending swap in the mempool and chooses to frontrun the transaction. They proceed to swap a substantial quantity of _profits tokens for WETH, consequently inflating the price of WETH relative to _profits.

3. The original swap transaction is then executed. Due to the altered price, the contract receives fewer WETH than expected because the sqrtPriceLimitX96 parameter is set to 0, thereby accepting any price.

4. The malicious user subsequently initiates a third transaction, exchanging WETH back to _profits tokens. As the price of WETH relative to _profits is now inflated, the malicious user acquires more _profits tokens than they initially expended.

Impact

As a consequence, the malicious user gains from the price manipulation at the expense of the contract.

Tools Used

Manual Review.

Recommendations

It is advisable not to keep sqrtPriceLimitX96 at 0, but to assign it a dynamic value to reflect a realistic price range for the _profits token. This measure will provide control over the price slippage and protect against potential price manipulation attacks.