Dangerous use of `block.timestamp` as a deadline parameter for `IncreaseLiquidityParams`
Summary
The contract uses block.timestamp as the deadline argument while interacting with the Uniswap Position Manager, which completely defeats the purpose of using a deadline.
Vulnerability Details
The current implementation of using block.timestamp as the deadline proves to be ineffective and essentially amounts to a no-operation, lacking proper protection. This is because block.timestamp captures the timestamp at the moment the transaction is mined, leading to a comparison like block.timestamp <= block.timestamp see: https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/base/PeripheryValidation.sol#L7).
Impact
The consequence of not providing a valid deadline value is a potential vulnerability where pending transactions can be maliciously executed at a later time. If a transaction fails to receive sufficient gas for timely mining, it becomes susceptible to being picked up by malicious actors or MEV bots, enabling their execution to the detriment of the original submitter.
Tools Used
Manual review
Recommendations
Add the deadline parameter to the function and pass it to the INonfungiblePositionManager.IncreaseLiquidityParams params.
Lead Judging Commences
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.