Submission Details
Severity:
In SmartVaultV3::swap() the `block.timestamp` is passed on `deadline` making it susceptible to MEV
Summary
Passing block.timestamp to deadline is basically saying that the sender is willing to accept the transaction to be included at any block.
Vulnerability Details
Malicious validators can withold the transaction until the block is in their favor (such as maximum slippages) which is unfavorable to the sender. Here's the code for quick reference.
function swap(bytes32 _inToken, bytes32 _outToken, uint256 _amount) external onlyOwner {
uint256 swapFee = _amount * ISmartVaultManagerV3(manager).swapFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();
address inToken = getSwapAddressFor(_inToken);
uint256 minimumAmountOut = calculateMinimumAmountOut(_inToken, _outToken, _amount);
ISwapRouter.ExactInputSingleParams memory params = ISwapRouter.ExactInputSingleParams({
tokenIn: inToken,
tokenOut: getSwapAddressFor(_outToken),
fee: 3000,
recipient: address(this),
deadline: block.timestamp, // @audit - this is vulnerable to MEVs
amountIn: _amount - swapFee,
amountOutMinimum: minimumAmountOut,
sqrtPriceLimitX96: 0
});
inToken == ISmartVaultManagerV3(manager).weth() ?
executeNativeSwapAndFee(params, swapFee) :
executeERC20SwapAndFee(params, swapFee);
}
Impact
Swap losses everytime.
Delayed execution which might ire users.
Tools Used
Manual Review
Recommendations
Parameterize the value of deadline and make calculations off-chain.
Updates
Lead Judging Commences
hrishibhat over 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
deadline-check-low
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.