`TSwapPool::deposit` doesn't check if the deadline is passed
Summary
The deadline parameter which is received as an argument in the TSwapPool::deposit function is never actually used.
Vulnerability Details
The deposit function in the TSwapPool.sol contract accepts the uint64 deadline as one of its parameters. But this parameter is later not used in the function at all. Because of this vulnerability, deposit can be called even if the deadline has passed. Although user funds are not under threat (because this vulnerability only lets users deposit assets at any given time), one can still get liquidity tokens by depositing assets when the protocol didn't intend to allow it.
Impact
The likelihood of this happening is very high as one doesn't require a lot of resources to "exploit" this vulnerability. Any user could call this function when they are not supposed to do so.
Proof of Concept
We get the following warning message when we do forge build (Please ignore the line number mentioned here. It is different from the one mentioned in the first flight repo because I deleted a few lines of comments during the audit process)
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning. --> src/TSwapPool.sol:106:9: | 106 | uint64 deadline | ^^^^^^^^^^^^^^^
Upon manual review, we find that the deadline parameter is indeed unused.
Tools Used
Foundry, Manual review
Recommendations
This problem can be averted using the modifier revertIfDeadlinePassed(uint64 deadline).
Appeal created
`deposit` is missing deadline check causing transactions to complete even after the deadline
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.