The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Slippage Checks in `executeERC20SwapAndFee` Swap Function

daniel526

Summary

The executeERC20SwapAndFee private function in the provided contract lacks explicit slippage checks during the execution of ERC-20 swaps. This absence of slippage controls may expose the contract to potential risks associated with unfavorable trade execution prices.

Vulnerability Details

The executeERC20SwapAndFee function is responsible for handling the execution of ERC-20 swaps, including the transfer of a swap fee to the protocol, approving the swap router, and executing the swap itself. However, the code does not incorporate checks for slippage, which refers to the potential difference between the expected and executed trade prices. The absence of slippage controls may result in less favorable exchange rates, potentially impacting the overall security and efficiency of the contract.

function executeERC20SwapAndFee(ISwapRouter.ExactInputSingleParams memory _params, uint256 _swapFee) private {

IERC20(_params.tokenIn).safeTransfer(ISmartVaultManagerV3(manager).protocol(), _swapFee);

IERC20(_params.tokenIn).safeApprove(ISmartVaultManagerV3(manager).swapRouter2(), _params.amountIn);

ISwapRouter(ISmartVaultManagerV3(manager).swapRouter2()).exactInputSingle(_params);

IWETH weth = IWETH(ISmartVaultManagerV3(manager).weth());

// convert potentially received weth to eth

uint256 wethBalance = weth.balanceOf(address(this));

if (wethBalance > 0) weth.withdraw(wethBalance);

}

Impact

User will be affected by unintended and unhandled slippage, potentially affecting the funds they get back from the swap

Tools Used

Manual

Recommendations

Implement slippage tolerance checks within the executeERC20SwapAndFee function to compare the expected price with the executed price.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!