Summary

Dangerous use of deadline parameter when executing a snap with the velo router.

Vulnerability details

The protocol is using block.timestamp as the deadline argument while executing a swap through the velo router. This completely defeats the purpose of using a deadline.

Actions that are executed through a router in Velo, Uniswap and other AMM's are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order t€o discard expired actions.

Proof Of Concept

As seen below, IVeloRouter(router)::swapExactTokensForTokens provides block.timestamp as the argument for the deadline parameter in the call to the velo router. StrategyOp.sol#L102, StrategyArb.sol#L87.

Impact

Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point. Transactions that provide an insufficient amount of gas such that they are not mined within a reasonable amount of time, can be picked by malicious actors or MEV bots and executed later in detriment of the submitter. See this issue for an excellent reference on the topic (the author runs a MEV bot).

Recommended Mitigation Steps

Add a deadline parameter to the IVeloRouter(router)::swapExactTokensForTokens function and forward this parameter to the corresponding underlying call to the velo router.