Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Deadline cannot be block.timestamp as it offers no protection

fourb

Summary

Whenever `swapExactTokensForTokens` is called on a router, a deadline is supposed to be set but the deadline set there is block.timestamp. But this is not a valid deadline because it offers no protection.

Vulnerability Details

There are two instances of this bug in StrategyOp and StrategyArb

looking at StrategyOp and StrategyArb they both have _swapUnderlyingToAsset() which helps in swapping from WETH to ALETH, however whenever this function is called it makes a call to a router with specific params set.

But the issue here is the deadline in the params provided to the router is set to block.timestamp which offers no real protections as we can see below from StrategyArb

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
@--> IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);
}

Impact

The deadline set offers no protection

Tools Used

manual review

Recommendations

allow sender to provide a real deadline

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.