The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

swap function is executed without explicit slippage protection

alchmy0

Summary

swap function is executed without explicit slippage protection

Vulnerability Details

Lack of explicit slippage protection can lead to sandwich attacks in highly volatile markets

Impact

This leaves the contract vulnerable to sandwich attacks during swapping

Tools Used

VS Code manual review

Recommendations

An adjustment of the form below will mitigate the issue:
function swap(bytes32 _inToken, bytes32 _outToken, uint256 _amount, uint256 _slippageTolerance) external onlyOwner {
// Calculate the swap fee based on the specified swap fee rate
uint256 swapFee = _amount * ISmartVaultManagerV3(manager).swapFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();

// Get the address of the token to be swapped in
address inToken = getSwapAddressFor(_inToken);

// Calculate the minimum amount of the output token expected from the swap
uint256 minimumAmountOut = calculateMinimumAmountOut(_inToken, _outToken, _amount, _slippageTolerance);

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({
    tokenIn: inToken,
    tokenOut: getSwapAddressFor(_outToken),
    fee: 3000,
    recipient: address(this),
    deadline: block.timestamp,
    amountIn: _amount - swapFee,
    amountOutMinimum: minimumAmountOut,
    sqrtPriceLimitX96: 0
});

// Execute the swap based on the type of input token
inToken == ISmartVaultManagerV3(manager).weth() ?
    executeNativeSwapAndFee(params, swapFee) :
    executeERC20SwapAndFee(params, swapFee);

}

function calculateMinimumAmountOut(bytes32 _inTokenSymbol, bytes32 _outTokenSymbol, uint256 _amount, uint256 _slippageTolerance) private view returns (uint256) {
uint256 expectedAmountOut = // calculate expected amount out based on market conditions

// Calculate the maximum acceptable slippage
uint256 slippageAmount = (expectedAmountOut * _slippageTolerance) / 10000; // slippageTolerance is in basis points

// Ensure the minimum amount out is above the calculated slippage
return expectedAmountOut - slippageAmount;

}

The _slippageTolerance can be adjusted based on market conditions and requirements.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.