SSSwap

First Flight #41

Beginner FriendlyRust

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Lack of Deposit Slippage Protection in the `liquidity_operations::provide_liquidity` function

mishraji874

Description: The AMM doesn't provide slippage protection for liquidity providers, potentially exposing them to front-running attacks. While the swap functions include slippage protection parameters ( min_out and max_in ), the liquidity provision function doesn't have similar protection. When a user provides liquidity by specifying only amount_a , the contract calculates amount_b based on the current pool ratio. However, if the pool ratio changes between transaction submission and execution (due to front-running), the user might provide more amount_b than expected.

Impact:

Liquidity providers are vulnerable to front-running attacks
Users may provide more tokens than intended if pool ratios change
Economic loss for liquidity providers

Proof of Concept:

// User wants to provide liquidity with 100 token A

// Current pool: 1000 A, 500 B

// Expected amount_b = (100 * 500) / 1000 = 50 B

// Attacker front-runs with a large swap that changes the ratio

// New pool: 800 A, 625 B

// Actual amount_b = (100 * 625) / 800 = 78.125 B

// User ends up providing ~28 more token B than expected

Recommended Mitigation: Add a maximum token B parameter to the liquidity provision function:

pub fn provide_liquidity(

context: Context<ModifyLiquidity>,

amount_a: u64,

max_amount_b: u64 // New parameter

) -> Result<()> {

let amount_b = calculate_token_b_provision_with_a_given(

&mut context.accounts.vault_a,

&mut context.accounts.vault_b,

amount_a

)?;

// Add slippage protection

require!(amount_b <= max_amount_b, AmmError::Slippage);

// Rest of the function...

Ok(())

}

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidity Provision Lacks Slippage Protection

Rewards breakdown

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.