The function swap()
and increaseLiquidityCurrentRange()
from L2TokenReceiver.sol
use these methods to swap tokens and increase liquidity range:
https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/L2TokenReceiver.sol#L60-L69
and
https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/L2TokenReceiver.sol#L105-L113
Both methods make sure to pass slippage (minimum amount out), but miss to provide the deadline which is crucial to avoid unexpected trades/losses for users and protocol.
Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted.
That could lead to users/protocol getting a worse price, because a validator can just hold onto the transaction. And when it does get around to putting the transaction in a block
One part of this change is that PoS block proposers know ahead of time if they're going to propose the next block. The validators and the entire network know who's up to bat for the current block and the next one.
This means the block proposers are known for at least 6 minutes and 24 seconds and at most 12 minutes and 48 seconds.
Further reading: https://blog.bytes032.xyz/p/why-you-should-stop-using-block-timestamp-as-deadline-in-swaps
Refer this verified Medium vulnerability more: https://github.com/code-423n4/2023-08-pooltogether-findings/issues/126
Loss of funds/tokens for the owner, since block execution is delegated to the block validator without a hard deadline.
The main argument here is the owner/protocol will lose out on positive slippage if the exchange rate becomes favourable when the tx is included in a block.
Manual
Let users provide a fixed deadline
as param, and also never set deadline to block.timestamp
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.