Liquidity Management

Summary

The PerpetualVault contract performs token swaps using Paraswap DEX without implementing any slippage protection. The contract blindly executes swaps and never validates the output amounts, leaving users vulnerable to sandwich attacks, price manipulation, and significant value loss due to unfavorable trade execution.

Vulnerability Details

The _doDexSwap function fails to implement any form of minimum output validation:

1. No minimum output validation

2. No comparison against expected rates

3. Accepts any output amount, even if extremely unfavorable

4. No reversion mechanism for bad trades

5. No validation that output amount is greater than zero

The issue is particularly concerning because:

• The contract handles valuable tokens (USDC, WETH, WBTC, LINK, USDT)

• These tokens trade in highly liquid markets where MEV bots are active

• Paraswap is an aggregator routing through multiple DEXes, increasing attack surface

• Users have no opt-out or control over slippage parameters

Impact

The lack of slippage protection in DEX swaps creates serious risks:

1. Direct Loss of Funds: Users receive significantly fewer tokens than would be fair market value

2. MEV Exploitation: Sandwich attacks can extract value from every swap

3. Liquidation Risk: Unfavorable swaps may lead to insufficient collateral for positions

4. Trust Erosion: Users experiencing losses from bad trades will lose trust in the protocol

This vulnerability could be exploited on every DEX swap transaction, making it especially dangerous as it affects core functionality used throughout the protocol.

Proof of Concept

The attack flow:

1. Vault prepares to swap 100,000 USDC for ETH

2. Attacker front-runs by buying ETH, pushing price up 3%

3. Vault executes swap at inflated price, receiving 3% less ETH

4. Attacker back-runs by selling ETH, returning price to normal

5. Attacker profits ~3%, vault users lose ~3%

6. No minimum output check means transaction succeeds despite the loss

This pattern can be repeated for every DEX swap the vault performs.

Tools Used

Manual review

Recommendations

1.Add minimum output validation which is dynamically adjusted to prices passed by an oracle to all DEX swaps:

2.Add configuration options for slippage tolerance:

• Add a default maximum slippage parameter (e.g., 100 basis points / 1%)

• Allow the keeper to customize slippage tolerance for different market conditions