The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Deadline Check in `executeERC20SwapAndFee` Function

daniel526

Summary

The executeERC20SwapAndFee function in the provided smart contract lacks a critical deadline check when executing token swaps. This omission may expose the contract to potential issues related to outdated quotes or liquidity, as there is no mechanism to ensure that the swap is executed within a reasonable timeframe.

Vulnerability Details

The executeERC20SwapAndFee function is responsible for executing ERC-20 token swaps along with associated fees. However, it lacks a deadline parameter, leaving the door open for potential front-running attacks and risks associated with outdated quotes.

function executeERC20SwapAndFee(ISwapRouter.ExactInputSingleParams memory _params, uint256 _swapFee) private {

IERC20(_params.tokenIn).safeTransfer(ISmartVaultManagerV3(manager).protocol(), _swapFee);

IERC20(_params.tokenIn).safeApprove(ISmartVaultManagerV3(manager).swapRouter2(), _params.amountIn);

ISwapRouter(ISmartVaultManagerV3(manager).swapRouter2()).exactInputSingle(_params);

IWETH weth = IWETH(ISmartVaultManagerV3(manager).weth());

uint256 wethBalance = weth.balanceOf(address(this));

if (wethBalance > 0) weth.withdraw(wethBalance);

}

The absence of a deadline parameter means that there is no explicit check to ensure the swap is executed within a specified timeframe. This exposes the contract to potential issues, such as inefficient or failed swaps in scenarios where market conditions rapidly change.

Impact

The vulnerability increases the risk of inefficient or failed token swaps due to potential front-running attacks, outdated quotes, or other market fluctuations. This may result in financial losses and negatively impact the reliability of the contract's token swapping functionality.

Tools Used

Manual

Recommendations

Introduce a deadline parameter to the ISwapRouter.ExactInputSingleParams struct and include a deadline check within the executeERC20SwapAndFee function. Set a reasonable deadline value to ensure that token swaps are executed within a specified timeframe, minimizing the risk of front-running attacks and providing more predictable behavior.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

deadline-check-low

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

deadline-check

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.