First Flight #18: T-Swap

Summary

The swapExactOutput function in TSwapPool lacks slippage protection, which could result in users receiving significantly fewer tokens than expected due to market fluctuations

Vulnerability Details

The swapExactOutput function allows users to swap a specified amount of output tokens but does not offer any slippage protection in the form of a maximum input amount. This is different from the swapExactInput function, which specifies a minOutputAmount to protect against slippage. Without a maxInputAmount, users could end up sending significantly more input tokens than anticipated if the market conditions change while the transaction is pending.

Impact

Without slippage protection, users can be negatively impacted by significant market changes that occur between the time they initiate the transaction and when it is processed. This could lead to users losing a considerable amount of tokens, decreasing trust in the protocol and reducing overall user satisfaction.

Tools Used

Manual code review

POC

The price of 1 WETH is currently 1,000 USDC.
User initiates a swapExactOutput transaction to receive 1 WETH:
inputToken = USDC
outputToken = WETH
outputAmount = 1
deadline = ...
The function does not include a maxInputAmount.
While the transaction is pending, the market price changes drastically, and 1 WETH is now worth 10,000 USDC.
The transaction completes, but the user ends up sending 10,000 USDC instead of the expected 1,000 USDC.

Recommendations

Include a maxInputAmount parameter in the swapExactOutput function to provide slippage protection and ensure users only spend up to a specific amount. This change will help users predict their spending on the protocol and protect them from adverse market conditions.