Missing On-Chain Slippage Checks for Paraswap Swaps
Paraswap swaps in _doDexSwap lack explicit min-out constraints, allowing large slippage or potential MEV manipulation.
Summary
_doDexSwapsends tokens to Paraswap using externally generated call data but does not enforce a minimum output on-chain.Price could move unfavorably or front-runners could exploit the trade.
Vulnerability Details
The function calls
ParaSwapUtils.swap(...)with no additional on-chain check likerequire(outputAmount >= minExpected).If the Paraswap aggregator call is front-run or manipulated, the vault might receive fewer tokens.
ImpactSignificant user losses in extreme volatility or malicious front-running.
Unbounded slippage scenario where user deposit or vault funds get poor pricing.
Tools Used
Manual code inspection.
Common DeFi best practices for DEX aggregator usage.
Recommendations
-
Add a
minOutputAmountparameter in_doDexSwapor parse it from the ParaSwap call data, then assert on-chain withrequire. -
Alternatively, incorporate a slippage tolerance check in the vault logic itself.
Lead Judging Commences
invalid_swap_slippage_and_deadline
Slippage and deadline are handled externally. Paraswap implementation used by the current code (behind the proxy): https://etherscan.io/address/0xdffd706ee98953d3d25a3b8440e34e3a2c9beb2c GMX code: https://github.com/gmx-io/gmx-synthetics/blob/caf3dd8b51ad9ad27b0a399f668e3016fd2c14df/contracts/order/OrderUtils.sol#L150C15-L150C33
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.