First Flight #18: T-Swap

First Flight #18

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

`TSwapPool::deposit` function don't verify if deadline is late

0xjoaovictor

Summary

In the TSwapPool::deposit function we don't have a verification if deadline is late.

Vulnerability Details

The function TSwapPool::deposit don't verify the deadline parameter, as we can see below:

function deposit(

uint256 wethToDeposit,

uint256 minimumLiquidityTokensToMint,

uint256 maximumPoolTokensToDeposit,

uint64 deadline

)

external

revertIfZero(wethToDeposit) // here we don't have a modifier to verify the deadline

returns (uint256 liquidityTokensToMint)

Impact

Because of the lack os this check the function TSwapPool::deposit will be accept deposits after the deadline

Tools Used

Solidity and Foundry

Proof of Concept

Add the following PoC to test/unit/TSwapPool.t.sol:

function testDepositWithDeadlineLate() public {

vm.startPrank(liquidityProvider);

weth.approve(address(pool), 100e18);

poolToken.approve(address(pool), 100e18);

uint64 deadlineLate = uint64(0);

pool.deposit(100e18, 100e18, 100e18, deadlineLate);

assertEq(pool.balanceOf(liquidityProvider), 100e18);

assertEq(weth.balanceOf(liquidityProvider), 100e18);

assertEq(poolToken.balanceOf(liquidityProvider), 100e18);

assertEq(weth.balanceOf(address(pool)), 100e18);

assertEq(poolToken.balanceOf(address(pool)), 100e18);

}

Recommendations

You can use the existent modifier revertIfDeadlinePassed in the TSwapPool::deposit:

function deposit(

uint256 wethToDeposit,

uint256 minimumLiquidityTokensToMint,

uint256 maximumPoolTokensToDeposit,

uint64 deadline

)

external

revertIfZero(wethToDeposit)

+ revertIfDeadlinePassed(deadline)

returns (uint256 liquidityTokensToMint)

{

...

Updates

Appeal created

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`deposit` is missing deadline check causing transactions to complete even after the deadline

Rewards breakdown

nSLOC

276

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.