swap() deadline incorrectly set to block.timestamp
Summary
swap() function executes the ISwapRouter.ExactInputSingleParams() function with deadline as block.timestamp. This has basically no effect and should rather be an actual uint256 value.
Vulnerability Details
The deadline parameter in the swap() is set to block.timestamp. That means the function will accept a token swap at any block number (i.e. no expiration deadline).
Since block.timestamp is always relative, using it in any way is equivalent to using no deadline at all. Needs to use a user defined input to effectively enforce any deadline.
Without a deadline, the transaction might be left hanging in the mempool and be executed way later than the user wanted. That could lead to user getting a worse price, because a validator can just hold onto the transaction. And when it does get around to putting the transaction in a block, it'll be block.timestamp, so they've got no protection there.
Impact
Without an expiration deadline, a malicious miner/validator can hold a transaction until they favor it or they can make a profit.
Tools Used
Manual Review
Recommendations
Add a deadline parameter inside the swap function
Lead Judging Commences
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.