Swap function has no protection for deadline resulting in lower price
Summary
Swapping of tokens misses the transaction expiration check, which may lead to tokens being swapped at a price that's lower than the market price at the moment of a swap.
Vulnerability Details
The swap function is responsible for swapping tokens in the L2TokenReceiver contract, sets the deadline argument call to block.timestamp. This disables the transaction expiration check because the deadline will be set to whatever timestamp the block including the transaction is minted at.
Transaction expiration check allows to protect from selling/swapping tokens at an outdated price that's lower than the current price.
Consider this scenario:
In the PoS model, proposers know well in advance if they will propose one or consecutive blocks ahead of time. In such a scenario, a malicious validator can hold back the transaction and execute it at a more favourable block number.
While the transaction is in the mempool for a longer time, the prices of the token changes as a result minimum output amount check still holds and face loss from the swapping happening at a lower price.
Impact
Swapping tokens can be exploited as a result of being held in mempool for longer time than expected due to which tokens are sold at an outdated price.
Recommendations
Consider a reasonable value to the deadline argument.
For example, sets it to 10 - 30 minutes on mainnet and to 5 minutes on L2 networks.
Lead Judging Commences
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.