Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Fixed fee level is used when swap tokens on Uniswap

Juntao

Summary

Fixed fee level is used when swap tokens on Uniswap.

Vulnerability Details

In Fees contract, sellProfits(…) funtion is used to swap loan tokens for collateral tokens from liquidations, when constructs ISwapRouter.ExactInputSingleParams, a fixed fee 3000 (0.3%) level is used:

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});

However, not all pools in Uniswap are created with fee level being 3000, for example, fee level of XMON / ETH
(0x59b4bb1f5d943cf71a10df63f6b743ee4a4489ee) on Mainnet is 10000 (1%), fee level of WETH / BOB (0x1a54ae9f662b463f8d432482975c17e51518b50d) on Optimism is 500 (0.05%).

Impact

Using fixed fee level when swap tokens may lead to some fee tokens being locked in contract.

Tools Used

Manual Review

Recommendations

Passing fee level to sellProfits(…) function as parameter:

- function sellProfits(address _profits) public {
+ function sellProfits(address _profits, uint24 fee) public {
require(_profits != WETH, "not allowed");
uint256 amount = IERC20(_profits).balanceOf(address(this));
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
.ExactInputSingleParams({
tokenIn: _profits,
tokenOut: WETH,
- fee: 3000,
+ fee: fee,
recipient: address(this),
deadline: block.timestamp,
amountIn: amount,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
amount = swapRouter.exactInputSingle(params);
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!