Fixed fee level is used when swap tokens on Uniswap
Summary
Fixed fee level is used when swap tokens on Uniswap.
Vulnerability Details
In SmartVaultV3 contract, swap() funtion is used to swap loan tokens for collateral tokens from liquidations, when constructs ISwapRouter.ExactInputSingleParams, a fixed fee 3000 (0.3%) level is used:
function swap(bytes32 _inToken, bytes32 _outToken, uint256 _amount) external onlyOwner {
uint256 swapFee = _amount * ISmartVaultManagerV3(manager).swapFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
address inToken = getSwapAddressFor(_inToken);
uint256 minimumAmountOut = calculateMinimumAmountOut(_inToken, _outToken, _amount);
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({
tokenIn: inToken,
tokenOut: getSwapAddressFor(_outToken),
fee: 3000, // <-----
recipient: address(this),
deadline: block.timestamp,
amountIn: _amount - swapFee,
amountOutMinimum: minimumAmountOut,
sqrtPriceLimitX96: 0
});
inToken == ISmartVaultManagerV3(manager).weth() ?
executeNativeSwapAndFee(params, swapFee) :
executeERC20SwapAndFee(params, swapFee);
}
Impact
However, not all pools in Uniswap are created with fee level being 3000, for example, fee level of XMON / ETH (0x59b4bb1f5d943cf71a10df63f6b743ee4a4489ee) on Mainnet is 10000 (1%), fee level of WETH / BOB (0x1a54ae9f662b463f8d432482975c17e51518b50d) on Optimism is 500 (0.05%).
Tools Used
Manual review
Recommendations
Additional fee parameter should be passed to function swap() as parameter:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.