search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

Deadline based on `block.timestamp` is ineffective for contract calls, removing them can make the code simpler and save gas #269

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/YETI/sYETIToken.sol#L231-L231

uint256[] memory amounts = IRouter(routerAddress).swapExactTokensForTokens(YUSDToSell, YETIOutMin, path, address(this), block.timestamp + 5 minutes);

deadline is designed for the caller to specify a deadline time for the transaction to be packed. However, since the deadline is calculated based on block.timestamp + 5 minutes, it won't be effective (it always passes).

Therefore, changing it to block.timestamp will make the code simpler and save some gas.

Recommendation

Change to:

uint256[] memory amounts = IRouter(routerAddress).swapExactTokensForTokens(YUSDToSell, YETIOutMin, path, address(this), block.timestamp);
kingyetifinance commented 2 years ago

Duplicate #92

alcueca commented 2 years ago

Duplicate of #211