The Standard

The Standard
DeFiHardhat
20,000 USDC
View results
Submission Details
Severity: medium
Valid

Not have user defined deadline param in swap allowing outdated slippage and allow pending transaction to be executed unexpectedly.

Vulnerability Details

Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted.

That could lead to users/protocol getting a worse price, because a validator can just hold onto the transaction. And when it does get around to putting the transaction in a block

One part of this change is that PoS block proposers know ahead of time if they're going to propose the next block. The validators and the entire network know who's up to bat for the current block and the next one.

This means the block proposers are known for at least 6 minutes and 24 seconds and at most 12 minutes and 48 seconds.

Further reading:

https://blog.bytes032.xyz/p/why-you-should-stop-using-block-timestamp-as-deadline-in-swaps

Explained lot better in C4 PoolTogether finding - https://github.com/code-423n4/2023-08-pooltogether-findings/issues/126

Impact

Loss of funds/tokens for the protocol, since block execution is delegated to the block validator without a hard deadline.

‘The main argument here is the user will lose out on positive slippage if the exchange rate becomes favourable when the tx is included in a block.’

https://github.com/code-423n4/2023-08-pooltogether-findings/issues/126#issuecomment-1678355315

Tools Used

Manual

Recommendations

Let users provide a fixed deadline as param, and also never set deadline to block.timestamp.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

deadline-check-low

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

deadline-check

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.