Absence of Slippage Protection in `TSwapPool::swapExactOutput` Exposes Users to Significant Losses
Summary
Lack of slippage protection in TSwapPool::swapExactOutput causes users to potentially receive way fewer tokens
Vulnerability Details
The TSwapPool::swapExactOutput function lacks slippage protection, unlike the TSwapPool::swapExactInput function, which uses a minOutputAmount to safeguard users. The swapExactOutput function should similarly include a maxInputAmount parameter to protect users from drastic market changes.
Impact
If market conditions shift unfavorably before the transaction is processed, users could receive significantly fewer tokens than expected, leading to substantial financial losses.
Proof of Concept:
Consider the following scenario:
The current price of 1 WETH is 1,000 USDC.
A user initiates a swapExactOutput to receive 1 WETH.
inputToken = USDC
outputToken = WETH
outputAmount = 1 WETH
deadline = (any future time)
The function does not specify a maxInputAmount.
While the transaction is pending, the market price of WETH rises to 10,000 USDC.
The transaction completes, and the user ends up spending 10,000 USDC instead of the anticipated 1,000 USDC.
Tools Used
Manual review
Recommendations
We should include a maxInputAmount so the user only has to spend up to a specific amount, and can predict how much they will spend on the protocol. The revised function is shown below:
Appeal created
Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.