`TSwapPool::deposit` Lacks the Deadline Check allows Sandwich attacks
[H-01] TSwapPool::deposit Lacks the Deadline Check allows Sandwich attacks
Description:
The deposit function has a deadline input parameter but its not used anywhere. since this parameter is not used it allows the transaction to be executed at extended times that are not allowed by the liquidity provider.
Impact:
-
Alice wants to deposit 1 ETH and the needed amount of poolToken.
The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for miners to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer. -
The deposit transaction is still pending in the mempool. Average fees are still too high for miners to be interested in it.
The price of tokens has gone up significantly since the transaction was signed, meaning Alice would receive a lot more ETH when the deposit is executed. But that also means that her maximum slippage value (minimumLiquidityTokensToMintandmaximumPoolTokensToDepositin terms of theTSwapPoolcontract) is outdated and would allow for significant slippage.
A MEV bot detects the pending transaction. Since the outdated maximum slippage value now allows for high slippage, the bot sandwiches Alice, resulting in significant profit for the bot and significant loss for Alice.
Recommended Mitigation:
Add the deadline check modifier to deposit.
Appeal created
`deposit` is missing deadline check causing transactions to complete even after the deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.