Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Frontrunning and Slippage Exploit in _performMultiDexSwap Function

classick11

Summary

The FeeDistributionBranch::_performMultiDexSwap function, responsible for executing multi-hop swaps across different assets using specified DEX strategies, is vulnerable to frontrunning and slippage exploits. The function does not include slippage protection, allowing an attacker to manipulate on-chain prices by placing large trades before the swap executes, causing unfavorable rates for the protocol. Additionally, since it uses approve instead of safeApprove, there is a potential risk of improper allowance handling, leading to further security concerns. These vulnerabilities can result in financial losses for users by executing swaps at worse-than-expected rates.

Vulnerability Details

function _performMultiDexSwap(

AssetSwapPath.Data memory swapPath,

uint256 assetAmount

)

internal

returns (uint256)

{

address[] memory assets = swapPath.assets;

uint128[] memory dexSwapStrategyIds = swapPath.dexSwapStrategyIds;

uint256 amountIn = assetAmount;

for (uint256 i; i < assets.length - 1; i++) {

DexSwapStrategy.Data storage dexSwapStrategy = DexSwapStrategy.loadExisting(dexSwapStrategyIds[i]);

IERC20(assets[i]).approve(dexSwapStrategy.dexAdapter, amountIn);

SwapExactInputSinglePayload memory swapCallData = SwapExactInputSinglePayload({

tokenIn: assets[i],

tokenOut: assets[i + 1],

amountIn: amountIn,

recipient: address(this)

});

amountIn = dexSwapStrategy.executeSwapExactInputSingle(swapCallData); // @audit-issue No slippage protection

}

return amountIn;

}

Impact

The impact of the lack of slippage protection in the _performMultiDexSwap function, when called by the convertAccumulatedFeesToWeth function, is that the protocol may receive less WETH than expected when converting accumulated fees. This happens due to potential price fluctuations and liquidity issues across the DEXes involved in the swap. As a result, the protocol could suffer from unexpected losses, making it harder to meet financial obligations or maintain accurate balances. Additionally, the protocol becomes vulnerable to manipulation, where malicious actors could exploit the lack of slippage control to reduce the amount of WETH received during swaps.

Tools Used

Recommendations

SwapExactInputSinglePayload memory swapCallData = SwapExactInputSinglePayload({

tokenIn: assets[i],

tokenOut: assets[i + 1],

amountIn: amountIn,

@> minAmountOut: minAmountOut, //slippage protection

recipient: address(this)

});

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

classick11 Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!