Submission Details
Severity:
`StrategyArb` and `StrategyOp` contracts use `block.timestamp` as a deadline for token swaps
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L87
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L102
## Summary
The `_swapUnderlyingToAsset` function in both `StrategyArb` and `StrategyOp` contracts uses `block.timestamp` as the `deadline` parameter for token swaps. This exposes users to the risk of validators delaying transactions and executing them at unfavorable prices
## Vulnerability Details
Both contracts invoke token swap functions from their respective routers (`RamsesRouter` and `VeloRouter`) with `block.timestamp` as the `deadline`. This is problematic because:
- Validators can delay the transaction to a future block, potentially causing the swap to execute at a worse price.
- Users cannot specify an acceptable time frame for the transaction to execute, increasing the risk of losses due to adverse price movements.
## Impact
Increased vulnerability to MEV attacks, allowing validators to profit at the expense of users.
## Tools Used
Manual review
## Recommendations
Update the `_swapUnderlyingToAsset` function in both contracts to include a deadline parameter. This parameter will allow users to specify a time limit for the transaction after which it cannot be executed.
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.