First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`TSwapPool::swapExactOutput()` function is missing slippage protection check, causing caller to get less tokens than they expect **Description:

Mahith

Summary

TSwapPool::swapExactOutput function doesn't have a slippage protection check to help users get the value that they are expecting to get in return of swap.

Not having the check will let user submit a transaction without knowing what he's expecting to get out of the pool hence, an attacker or MEV bot who sees the transaction may place an order just before the swapper to manipulate the pool or even a big whale may place an order that changes the value of pool immensely thereby swapper getting the less tokens than he intended to get.

Impact

pool takes in more tokens than what user want to spend for the output he places the order for.

Recommendations

function swapExactOutput(
IERC20 inputToken,
+ uint256 maxInputTokens
IERC20 outputToken,
uint256 outputAmount,
uint64 deadline
)
...
{
uint256 inputReserves = inputToken.balanceOf(address(this));
uint256 outputReserves = outputToken.balanceOf(address(this));
inputAmount = getInputAmountBasedOnOutput(
outputAmount,
inputReserves,
outputReserves
);
+ if(inputAmount > maxInputTokens){
+ revert TSwapPool__InputTooLow(inputAmount, maxInputTokens);
}
_swap(inputToken, inputAmount, outputToken, outputAmount);
}
Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of slippage protection in `TSwapPool::swapExactOutput` causes users to potentially receive way fewer tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.