Submission Details
Severity:
Missing slippage control for swapExactOutput()
Summary
Missing slippage control for swapExactOutput()
Vulnerability Details
In function swapExactOutput(), users will assign the outputAmount and swap tokens. The vulnerability is that we don't set the maximum input amount. Users may have to pay lot of input amount because of the MEV attack.
function swapExactOutput(
IERC20 inputToken,
IERC20 outputToken,
uint256 outputAmount,
uint64 deadline
)
public
revertIfZero(outputAmount)
revertIfDeadlinePassed(deadline)
returns (uint256 inputAmount)
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
inputAmount = getInputAmountBasedOnOutput(
outputAmount,
inputReserves,
outputReserves
);
_swap(inputToken, inputAmount, outputToken, outputAmount);
}
Impact
Users may need to pay more input tokens than expected amount because of the MEV attack.
Tools Used
Manual
Recommendations
add slippage control maxmiumInputAmount
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens
Rewards breakdown
nSLOC
276This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.