0xean
commented
1 year ago closing as invalid. Rates are meant to be 1:1 here.
Closed code423n4 closed 1 year ago
0xean
commented
1 year ago closing as invalid. Rates are meant to be 1:1 here.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/l2/gateway/L2GraphTokenGateway.sol#L141-L142
Vulnerability details
Impact
Unused slippage params. function outboundTransfer in L2GraphTokenGateway (both L1 and L2) do not use slippage parameters., making it susceptible to sandwich attacks / MEV.
Proof of Concept
https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/l2/gateway/L2GraphTokenGateway.sol#L141-L142
Tools Used
Recommended Mitigation Steps
Consider paying some attention to the slippage to reduce possible manipulation attacks from mempool snipers.