Submission Details
Severity:
Usage of block.timestamp as a deadline is not as effective
Summary
When swapping WETH to ALETH, the function uses Ramses/Velo router to swap, and sets block.timestamp as the deadline.
function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {
// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100;
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
-> IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);
}
Vulnerability Details
Protocols shouldn't set the deadline to block.timestamp [more on this] as a validator can hold the transaction and the block it is eventually put into will be block.timestamp, so this offers no protection.
Ref:
https://dacian.me/defi-slippage-attacks#heading-no-expiration-deadline
Impact
block.timestampis not good enough.
Tools Used
Manual Review
Recommendations
Recommend setting deadline as a parameter instead.
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.