No deadline checks when making AMM swaps
Summary
The protocol uses block.timestamp for deadline, which defeats the purpose of a deadline.
Vulnerability Details
Interactions with uniswap are conducted require a deadline. This helps to limit the execution of pending transactions and discard expired transactions.
The swap function,
and the increaseLiquidityCurrentRange functions interact with uniswap, using block.timestamp as the deadline, which is ineffective as the check for deadline will compare the time the transaction was mined against itself.
Thus, malicious miners and MEV bots can hold the transaction for longer time periods and in many cases to the detriment of the owner.
Impact
The transaction will be left as pending in mempool for a longer time. The trade transaction can also be executed in a long time after the owner has submitted the transaction, at which, the trade can be done in a sub-optimal price, which harms owner's position, or be used to steal positive slippage from the owner.
A proper deadline check ensure that the transaction can be executed on time and the expired transaction revert.
Tools Used
Manual code review
Recommendations
Allow the owner to enter the needed deadline, by including a deadline parameter in the swap and increaseLiquidityCurrentRange functions.
Lead Judging Commences
Protocol should not use block.timestamp as deadline in Uniswap interactions because it renders the protection mechanism useless
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.