BaseAdapter uses a global deadline for all swaps, which introduces potential risks
Summary
The current implementation of the BaseAdapter contract allows the owner to set a global deadline for all swaps. However, this design is problematic because the deadline is a transaction-specific parameter that should be controlled by the user initiating the swap, not the contract owner. This centralized control introduces potential risks and reduces flexibility for users.
Vulnerability Details
The deadline is currently set by the owner through the setDeadline function. This means all swaps executed through the contract are bound by the same global deadline.
This design is flawed because the deadline is inherently tied to individual transactions. Users may have different requirements for how long they are willing to wait for their transactions to be executed. A malicious or compromised owner could set an extremely short deadline, causing all user transactions to fail.
Impact
Users lose control over the timing of their transactions, which is a critical aspect of decentralized finance (DeFi) interactions.
The contract becomes less user-friendly and more prone to failures due to mismatched expectations between the
ownerand users.
The impact is Low, the likelihood is Medium, so the severity is Low.
Tools Used
Manual Review
Recommendations
Modify the executeSwapExactInputSingle and executeSwapExactInput functions to accept a deadline parameter from the user.
Lead Judging Commences
[INVALD] Swap Deadline is a Storage Variable and that Limits Flexibility
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.