Dangerous use of deadline parameter when executing a snap with the velo router.
The protocol is using block.timestamp
as the deadline
argument while executing a swap through the velo router. This completely defeats the purpose of using a deadline.
Actions that are executed through a router in Velo, Uniswap and other AMM's are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order t€o discard expired actions.
As seen below, IVeloRouter(router)::swapExactTokensForTokens
provides block.timestamp
as the argument for the deadline
parameter in the call to the velo router. StrategyOp.sol#L102, StrategyArb.sol#L87.
Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point. Transactions that provide an insufficient amount of gas such that they are not mined within a reasonable amount of time, can be picked by malicious actors or MEV bots and executed later in detriment of the submitter. See this issue for an excellent reference on the topic (the author runs a MEV bot).
Add a deadline parameter to the IVeloRouter(router)::swapExactTokensForTokens
function and forward this parameter to the corresponding underlying call to the velo router.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.