First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing maxInputAmount Parameter in TSwapPool::swapExactOutput

josh4324

Summary

The swapExactOutput function does not include a maxInputAmount parameter, which is critical for ensuring that users do not overpay during swaps. This omission can lead to users inadvertently providing more tokens than necessary, resulting in potential financial losses.

Vulnerability Details

The swapExactOutput function is designed to swap an exact amount of output tokens, but without a maxInputAmount parameter, users cannot cap the maximum number of input tokens they are willing to provide. This lack of a safeguard can lead to users providing an excessive number of input tokens if market conditions change unfavorably during the transaction execution.

function swapExactOutput(
IERC20 inputToken,
IERC20 outputToken,
uint256 outputAmount,
uint64 deadline
)
public
revertIfZero(outputAmount)
revertIfDeadlinePassed(deadline)
returns (uint256 inputAmount)
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
inputAmount = getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);
// No check for max input amount
_swap(inputToken, inputAmount, outputToken, outputAmount);
}

Proof of Concept (PoC):

  1. Deploy the TSWAP contract

  2. Call the function with parameters that would result in a high input amount due to rapid market changes.

  3. Observe that the user overpays without any safeguard against providing an excessive number of input tokens.

Impact

  1. Financial Loss: Users may overpay for swaps, leading to unintended financial losses.

  2. User Trust: The lack of a maximum input limit can erode user trust in the contract, as users may feel unprotected from adverse market movements.

  3. Market Manipulation: Malicious actors could exploit this vulnerability by manipulating market conditions to cause users to overpay significantly during swaps.

Tools Used

Manual Review

Recommendations

  1. Add maxInputAmount Parameter: Update the swapExactOutput function to include a maxInputAmount parameter, ensuring that users do not overpay for swaps.

  2. Input Validation: Validate the input amount against the maxInputAmount to ensure it does not exceed the user-defined limit.

  3. User Education: Inform users about the importance of setting a maxInputAmount to protect themselves from potential overpayment.

function swapExactOutput(
IERC20 inputToken,
IERC20 outputToken,
uint256 outputAmount,
+ uint256 maxInputAmount
uint64 deadline
)
public
revertIfZero(outputAmount)
revertIfDeadlinePassed(deadline)
returns (uint256 inputAmount)
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
inputAmount = getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves);
+ if (maxInputAmount< inputAmount) {
+ revert();
+ }
_swap(inputToken, inputAmount, outputToken, outputAmount);
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.