Lack of slippage protection in TSwapPool::swapExactOutput causes users to potentially receive way fewer tokens
Summary :
The swapExactOutput function does not include any sort of slippage protection. This function is similar to what is done in TSwapPool::swapExactInput, where the function specifies a minOutputAmount, the swapExactOutput function should specify a maxInputAmount.
Vulnerability Details:
The price of 1 WETH right now is 1,000 USDC 2. User inputs aswapExactOutput looking for 1 WETH 1. inputToken = USDC
outputToken = WETH 3. outputAmount = 1 4. deadline = whatever
The function does not offer a maxInput amount
As the transaction is pending in the mempool, the market changes! And the price moves HUGE -> 1 WETH is now 10,000 USDC. 10x more than the user expected
The transaction completes, but the user sent the protocol 10,000 USDC instead of the expected 1,000 USDC
Impact:
If market conditions change before the transaction processes, the user could get a much worse swap.
Tools Used
Recommendations:
We should include a maxInputAmount so the user only has to spend up to a specific amount, and can predict how much they will spend on the protocol.
function swapExactOutput(
IERC20 inputToken,
+ uint256 maxInputAmount,
.
.
.
inputAmount = getInputAmountBasedOnOutput(outputAmount,
inputReserves, outputReserves);
if(inputAmount > maxInputAmount){
revert();
}
_ swap(inputToken, inputAmount, outputToken, outputAmount)
Appeal created
Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.