DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: medium
Invalid

Dangerous use of deadline parameter when executing a snap with the velo router.

Summary

Dangerous use of deadline parameter when executing a snap with the velo router.

Vulnerability details

The protocol is using block.timestamp as the deadline argument while executing a swap through the velo router. This completely defeats the purpose of using a deadline.

Actions that are executed through a router in Velo, Uniswap and other AMM's are protected by a deadline parameter to limit the execution of pending transactions. Functions that modify the liquidity of the pool check this parameter against the current block timestamp in order t€o discard expired actions.

Proof Of Concept

As seen below, IVeloRouter(router)::swapExactTokensForTokens provides block.timestamp as the argument for the deadline parameter in the call to the velo router. StrategyOp.sol#L102, StrategyArb.sol#L87.

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IVeloRouter.route[] calldata _path) internal {
// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100;
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
@> IVeloRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);
}

Impact

Failure to provide a proper deadline value enables pending transactions to be maliciously executed at a later point. Transactions that provide an insufficient amount of gas such that they are not mined within a reasonable amount of time, can be picked by malicious actors or MEV bots and executed later in detriment of the submitter. See this issue for an excellent reference on the topic (the author runs a MEV bot).

Recommended Mitigation Steps

Add a deadline parameter to the IVeloRouter(router)::swapExactTokensForTokens function and forward this parameter to the corresponding underlying call to the velo router.

Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.