Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Global Deadline Expose Users to MEV Attacks, Price Slippage and Transaction Failures in UniswapV3Adapter and UniswapV2Adapter Contracts

eta

Summary

The UniswapV3Adapter and UniswapV2Adapter contracts inherit a global deadline from BaseAdapter instead of allowing transactions to specify their own deadline values. This exposes transactions to MEV attacks, price slippage, and potential failures if the deadline is too short, reducing flexibility and security for time-sensitive trades.

Vulnerability Details

The UniswapV3Adapter and UniswapV2Adapter contracts utilize a global deadline rather than allowing each transaction to specify its own deadline. In the executeSwapExactInputSingle and executeSwapExactInput functions, the deadline is taken from BaseAdapter contract instead of being explicitly provided in each trade. Uniswap’s native interface supports setting a per-transaction deadline, ensuring users can define a custom validity period for each trade.

src/utils/dex-adapters/BaseAdapter.sol:setDeadline#L153-L162

uint256 deadline;
function setDeadline(uint256 _deadline) public onlyOwner {
// revert if the deadline is in the past
if (_deadline < block.timestamp) revert Errors.SwapDeadlineInThePast();
// set the new deadline
deadline = _deadline;
// emit the event
emit LogSetDeadline(_deadline);
}

src/utils/dex-adapters/UniswapV2Adapter.sol:executeSwapExactInput#L131

src/utils/dex-adapters/UniswapV2Adapter.sol:executeSwapExactInputSingle#L101

src/utils/dex-adapters/UniswapV3Adapter.sol:executeSwapExactInput#L136

src/utils/dex-adapters/UniswapV3Adapter.sol:executeSwapExactInputSingle#L106

function executeSwapExactInputSingle(SwapExactInputSinglePayload calldata swapPayload)
external
returns (uint256 amountOut)
{
...
return swapRouter.exactInputSingle(
IUniswapV3RouterInterface.ExactInputSingleParams({
tokenIn: swapPayload.tokenIn,
tokenOut: swapPayload.tokenOut,
fee: feeBps,
recipient: swapPayload.recipient,
deadline: deadline, // @audit global `deadline` from `BaseAdapter` contract
amountIn: swapPayload.amountIn,
amountOutMinimum: amountOutMin,
sqrtPriceLimitX96: 0
})
);

Impact

  1. MEV Exploitation Risk: If the global deadline is too long, transactions may remain in the mempool for extended periods, making them susceptible to MEV attacks, such as front-running or sandwich attacks.

  2. Price Slippage Risk: A long deadline increases the likelihood of significant price fluctuations before execution, potentially leading to worse trade execution than expected.

  3. Reduced User Control: Users are unable to set specific deadlines for different transactions, reducing flexibility in executing time-sensitive trades.

  4. Transaction Failures: If the global deadline is too short, valid trades may fail unnecessarily.

Tools Used

Manual Code Review

Recommendations

It is recommended to add a deadline parameter to SwapExactInputSinglePayload and and SwapExactInputPayload to use the transaction-specific deadline in uniswap calls. If a transaction-specific deadline is not provided, fallback to a reasonable default instead of a global value.

// @audit Modify `SwapExactInputSinglePayload` and `SwapExactInputPayload` to include a `deadline` field, For example:
struct SwapExactInputSinglePayload {
address tokenIn;
address tokenOut;
uint256 amountIn;
address recipient;
+ uint256 deadline;
}
// @audit Update the `executeSwapExactInputSingle` and `executeSwapExactInput` functions to use the `deadline` from `swapPayload`.
- deadline: deadline,
+ deadline: swapPayload.deadline
Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.