First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`TSwapPool: swapExactOutput` has lack of slippage protection, causes users to potentially spent much more than expected

abhishekthakur

Summary

Lack of slippage protection cause loss of funds for user.

Vulnerability Details

SwapExactOutput function lacks of slippage protection.

function swapExactOutput(

IERC20 inputToken,

IERC20 outputToken,

uint256 outputAmount,

uint64 deadline

){

/// existing code

}

As we can see, that to handle amounts it has only outputAmount which is not sufficient. It should have one more input maxInputAmount which will save users from being rekt. (getting few tokens than expected).

POC

Price of 1 WETH is say 4000 USDC.
User execute the tx with to get 1 weth as output. So he input
1. inputToken = USDC
2. outputToken = WETH
3. outputAmount = 1
4. deadline = current time + 360
The given function don't allow to put limit of maxInput that protocol can deduct to execute the swap. (No slippage protection)
As tx goes to mempool in pending state, MEV or say due to high market volatility, Weth reaches new hights and now 1 WETH = 16000 USDC. it's 4x more than the user input.
Transaction is confirmed now, but user spent 4x than he thought.

Impact

In highly volatile markets, or even MEV's can exploit this to make user getting worst swap.

Tools Used

Manual Review

Recommendations

Add a maxInputAmount input and if statement that will control the slippage. Which is essential to save user funds and revert the tx if trade is not favorable.
Given below:

+ error TradeIsNotFavourable();

function swapExactOutput(

IERC20 inputToken,

+ uint256 maxInputAmount,

. /// existing code

inputAmount = getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);

+ if(inputAmount > maxInputAmount){

+ revert TradeIsNotFavourable();

+ }

_swap(inputToken, inputAmount, outputToken, outputAmount);

}

Updates

Appeal created

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.