Using `block.timestamp` as the deadline in the `L2TokenReceiver.swap` invites MEV
Summary
Passing block.timestamp as the deadline of an operation does not mean “require immediate execution” - it means “whatever block this transaction appears in, I’m comfortable with that block’s timestamp”. Providing this value means that a malicious sequencer can hold the transaction for as long as they like, which may be until they are able to cause the transaction to incur the maximum amount of slippage allowed by the slippage parameter.
Impact
The current implementation allows the sequencer to extract some value from the operation that leads to a less favorable swap price for an owner. Low severity since the sequencer is trusted but it is still better to prevent such cases completely.
Tools Used
Manual Review
Recommendations
Consider specifying a deadline by the caller to avoid unnecessary MEV.
Lead Judging Commences
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.