Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unsafe Deadline Usage in `_swapUnderlyingToAsset`

0xshoonya

Vulnerability Details

The function _swapUnderlyingToAsset in StrategyArb.sol contract uses the block.timestamp as the deadline for the IRamsesRouter(router).swapExactTokensForTokens call:

function _swapUnderlyingToAsset(uint256 _amount, uint256 minOut, IRamsesRouter.route[] calldata _path) internal {
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
@> IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);
}

Using block.timestamp as the deadline is effectively a no-operation that has no effect nor protection, since block.timestamp will take the timestamp value when the transaction gets mined. This provides no meaningful protection against delayed transaction during congested network conditions, potentially leading to unfavorable swaps.

Impact

Lack of deadline enforcement can result in swap execution at significantly different prices than anticipated, leading to slippage or losses.

Tools Used

Manual Review

Recommendations

Add a deadline parameter to the _swapUnderlyingToAsset function. This parameter should define a future timestamp (e.g., block.timestamp + X seconds) to provide effective protection against stale or delayed transactions:

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.