Submission Details
Severity:
No expiration deadline leads to losing a lot of funds
Summary
The L2TokenReceiver::swap does not set an expiration deadline, resulting in losing a lot of funds when swapping tokens.
Vulnerability Details
The deadline parameter in the swap function is set to block.timestamp. That means the function will accept a token swap at any block number (i.e., no expiration deadline).
function swap(uint256 amountIn_, uint256 amountOutMinimum_) external onlyOwner returns (uint256) {
SwapParams memory params_ = params;
ISwapRouter.ExactInputSingleParams memory swapParams_ = ISwapRouter.ExactInputSingleParams({
tokenIn: params_.tokenIn,
tokenOut: params_.tokenOut,
fee: params_.fee,
recipient: address(this),
=> deadline: block.timestamp,
amountIn: amountIn_,
amountOutMinimum: amountOutMinimum_,
sqrtPriceLimitX96: params_.sqrtPriceLimitX96
});
uint256 amountOut_ = ISwapRouter(router).exactInputSingle(swapParams_);
emit TokensSwapped(params_.tokenIn, params_.tokenOut, amountIn_, amountOut_, amountOutMinimum_);
return amountOut_;
}
Impact
Without an expiration deadline, a malicious miner/validator can hold a transaction until they favor it or they can make a profit. As a result, the contract can lose a lot of funds from slippage.
Tools Used
Manual Review
Recommendations
Set the deadline parameter to a proper timestamp.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.