Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Slippage Protection in Swaps

0xkimonic

Summary

The PerpetualVault does not enforce slippage checks for Paraswap operations, risking MEV exploitation.

(bool success, ) = to.call(callData);
require(success, "paraswap call reverted");

Vulnerability Details

No validation of minOutputAmount, meaning the swap could execute at any price.

contract TestSlippageProtection is Test {
PerpetualVault vault;
MockParaswap paraswap;
function setUp() public {
vault = new PerpetualVault();
paraswap = new MockParaswap();
}
function testLackOfSlippageProtection() public {
uint256 minExpected = 950; // User expects at least 950 tokens
paraswap.setOutputAmount(900); // But MEV manipulation drops it below expected
vault.swap(1000); // User tries to swap 1000 units
uint256 received = vault.getBalance(msg.sender);
assertTrue(received < minExpected, "Slippage protection should prevent bad swap execution");
}
}

Impact

Keepers could front-run swaps, leading to unfavorable exchange rates and depositor losses.

Tools Used

Foundry
Manual Review

Recommendations

Implement minimum acceptable output amount checks before swap execution:

require(outputAmount >= minExpected, "Slippage too high!");
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_swap_slippage_and_deadline

Slippage and deadline are handled externally. Paraswap implementation used by the current code (behind the proxy): https://etherscan.io/address/0xdffd706ee98953d3d25a3b8440e34e3a2c9beb2c GMX code: https://github.com/gmx-io/gmx-synthetics/blob/caf3dd8b51ad9ad27b0a399f668e3016fd2c14df/contracts/order/OrderUtils.sol#L150C15-L150C33

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!