First Flight #18: T-Swap

First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

`TSwapPool: swapExactOutput` has lack of slippage protection, causes users to potentially spent much more than expected

Summary

Lack of slippage protection cause loss of funds for user.

Vulnerability Details

SwapExactOutput function lacks of slippage protection.

function swapExactOutput(
IERC20 inputToken,
IERC20 outputToken,
uint256 outputAmount,
uint64 deadline
){
/// existing code
}

As we can see, that to handle amounts it has only outputAmount which is not sufficient. It should have one more input maxInputAmount which will save users from being rekt. (getting few tokens than expected).

POC

  1. Price of 1 WETH is say 4000 USDC.

  2. User execute the tx with to get 1 weth as output. So he input

    1. inputToken = USDC

    2. outputToken = WETH

    3. outputAmount = 1

    4. deadline = current time + 360

  3. The given function don't allow to put limit of maxInput that protocol can deduct to execute the swap. (No slippage protection)

  4. As tx goes to mempool in pending state, MEV or say due to high market volatility, Weth reaches new hights and now 1 WETH = 16000 USDC. it's 4x more than the user input.

  5. Transaction is confirmed now, but user spent 4x than he thought.

Impact

In highly volatile markets, or even MEV's can exploit this to make user getting worst swap.

Tools Used

Manual Review

Recommendations

Add a maxInputAmount input and if statement that will control the slippage. Which is essential to save user funds and revert the tx if trade is not favorable.
Given below:

+ error TradeIsNotFavourable();
function swapExactOutput(
IERC20 inputToken,
+ uint256 maxInputAmount,
. /// existing code
.
.
inputAmount = getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);
+ if(inputAmount > maxInputAmount){
+ revert TradeIsNotFavourable();
+ }
_swap(inputToken, inputAmount, outputToken, outputAmount);
}
Updates

Appeal created

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.