MorpheusAI

Summary

L2TokenReceiver.swap() function lacks a user-defined deadline parameter, enabling pending transactions to be executed maliciously at a later time

Vulnerability Details

The absence of deadline parameter prevents users from specifying a time limit for executing swaps
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L2TokenReceiver.sol#L57

Consider the scenario:

Alice theOnlyOwner initiates a swap of x(A) tokens for y(B) tokens, intending to later sell y(B) for x*10(A) tokens.

Alice's transaction remains pending in the mempool due to a low transaction fee, delaying its inclusion in a block for an extended period.

When network conditions favor her transaction's inclusion, the swap executes. However, the price of token B may have significantly changed, resulting in a much lower A value for y(B). Alice suffers a loss due to the unforeseen trade execution.

Even worse, malicious exploitation via Miner Extractable Value (MEV):

The pending swap transaction is awaiting execution in the mempool while token prices soar. Alice's transaction, previously uninteresting due to high fees, becomes profitable for miners to include.

The outdated maximum slippage value in the transaction parameters allows for considerable slippage. A MEV bot identifies this and sandwiches Alice, generating substantial profits for the bot at Alice's expense.

Impact

pending transactions can be maliciously executed at a later point suboptimally

Tools Used

Manual

Recommendations

add a proper deadline param instead of passing block.timestamp