Submission Details
Severity:
block.timestamp as deadline
Summary
Use of block.timestamp as deadline for Uniswap swap in L2TokenReceiver.sol
Vulnerability Details
Deadline for AMM swaps set as block.timestamp and this is never recommended
See notes here -> https://dacian.me/defi-slippage-attacks#heading-no-expiration-deadline
ISwapRouter.ExactInputSingleParams memory swapParams_ = ISwapRouter.ExactInputSingleParams({
tokenIn: params_.tokenIn,
tokenOut: params_.tokenOut,
fee: params_.fee,
recipient: address(this),
deadline: block.timestamp,
amountIn: amountIn_,
amountOutMinimum: amountOutMinimum_,
sqrtPriceLimitX96: params_.sqrtPriceLimitX96
});
Impact
validator can hold the transaction and the block it is eventually put into will be block.timestamp which can lead to loss of funds
Tools Used
Manual Analysis
Recommendations
It is recommended not to use block.timestamp as the deadline
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.