SSSwap

First Flight #41

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Slippage Protection in `provide_liquidity` instruction

abduo_ov

Description

The provide_liquidity function fails to implement slippage protection when calculating the required amount of token B for a given amount_a of token A. Specifically:

Users supply amount_a without specifying a maximum acceptable amount for token B (max_amount_b)
The calculated amount_b (via calculate_token_b_provision_with_a_given) is used unconditionally
No validation occurs to ensure the exchange rate is within user expectations

This allows scenarios where:

A malicious actor could sandwich the transaction (front/back-run) to manipulate prices
Users receive an unfavorable exchange rate due to high slippage
Token B provision could become economically nonviable (e.g., 1 unit of token B for 1,000,000 token A)

Code Proof

pub fn provide_liquidity(context: Context<ModifyLiquidity>, amount_a: u64) -> Result<()> {

let amount_b = calculate_token_b_provision_with_a_given(

&mut context.accounts.vault_a,

&mut context.accounts.vault_b,

amount_a

)?; // No validation of amount_b

// (Token transfer logic would follow here)

}

Impact

Financial Loss: Users may receive significantly less token B than expected
MEV Exploitation: Traders could extract value through price manipulation
System Abuse: Attackers could intentionally create unfavorable pools to drain users
Trust Degradation: Users lose confidence in the protocol's safety mechanisms

Recommendation

Implement slippage protection with a user-defined maximum:

pub fn provide_liquidity(

context: Context<ModifyLiquidity>,

amount_a: u64,

+ max_amount_b: u64 // Add slippage tolerance parameter

) -> Result<()> {

let amount_b = calculate_token_b_provision_with_a_given(...)?;

+ require!(

+ amount_b <= max_amount_b,

+ LiquidityError::ExcessiveTokenBRequest

+ );

// Proceed with transfers

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 days ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidity Provision Lacks Slippage Protection

Rewards breakdown

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.