Submission Details
Severity:
No slippage control on `swap()` function of SmartVaultV3 contract
Summary
The function calculateMinimumAmountOut() only calculates the minimum amount of received tokens to ensure the collateral value does not fall below the minimum required, exposing users to a sandwich attack where the user may receive just enough tokens to meet the minimum requirement.
Recommendations
The swap() function should include an additional parameter, _amountOutMinimum, and an additional step to compare this parameter with the minimumAmountOut variable.
function swap(bytes32 _inToken, bytes32 _outToken, uint256 _amount, uint256 _amountOutMinimum) external onlyOwner {
uint256 swapFee = _amount * ISmartVaultManagerV3(manager).swapFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
address inToken = getSwapAddressFor(_inToken);
uint256 minimumAmountOut = calculateMinimumAmountOut(_inToken, _outToken, _amount);
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({
tokenIn: inToken,
tokenOut: getSwapAddressFor(_outToken),
fee: 3000,
recipient: address(this),
deadline: block.timestamp,
amountIn: _amount - swapFee,
amountOutMinimum: minimumAmountOut > _amountOutMinimum ? minimumAmountOut : _amountOutMinimum,
sqrtPriceLimitX96: 0
});
inToken == ISmartVaultManagerV3(manager).weth() ?
executeNativeSwapAndFee(params, swapFee) :
executeERC20SwapAndFee(params, swapFee);
}
Updates
Lead Judging Commences
hrishibhat almost 2 years ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
Slippage-issue
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933
USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.