Lack of Expiration Timestamp May Cause Unintended Results
Summary
The _swapUnderlyingToAsset function in the Alchemix protocol lacks a configurable expiration timestamp for transactions, relying instead on block.timestamp. This omission exposes users to the risk of delayed transaction execution, which may result in unfavorable trade conditions.
Vulnerability Details
Advanced protocols like Automated Market Makers (AMMs) typically allow users to set a deadline parameter that defines a time limit for transaction execution. This ensures that trades are executed within an acceptable timeframe or fail otherwise. In the _swapUnderlyingToAsset function, the deadline is hardcoded to block.timestamp, making the transaction valid whenever a validator includes it in a block. This means the transaction could remain in the mempool for an extended period, exposing users to the risk of delayed execution by validators, potentially under less favorable conditions than intended.
Impact
Without a configurable expiration timestamp, transactions are vulnerable to delays, resulting in execution at unintended prices or market conditions. This can lead to financial losses for users, undermining the reliability of the protocol and potentially harming user trust.
Tools Used
Manual review
Recommendations
It is recommended to allow users interacting with the contract to set the expiration deadline in the functions that interact with AMMs.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.