Summary

The L2TokenReceiver contract in its swap and increaseLiquidityCurrentRange functions uses block.timestamp as the transaction deadline. This design can be exploited by miners to manipulate transaction ordering and sandwich a transaction

Vulnerability Details

Passing block.timestamp as the deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious miner can hold the transaction for as long as they like (think the flashbots mempool for bundling transactions), which may be until they are able to cause the transaction to incur the maximum amount of slippage allowed by the slippage parameter, or until conditions become unfavorable enough that other orders, e.g. liquidations, are triggered. Timestamps should be chosen off-chain, and should be specified by the caller to avoid unnecessary MEV.

Impact

Sandwiched TXs, increased slippage

Tools Used

VS Code

Recommendations

Allow users to specify the deadline when they initiate the transaction, providing them greater control and reducing the potential for MEV exploitation