search

code-423n4 / 2023-08-shell-findings

3 stars 2 forks source link

Swapping lacks deadline check #253

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-shell/blob/c61cf0e01bada04c3d6055acb81f61955ed600aa/src/proteus/EvolvingProteus.sol#L272-L304

Vulnerability details

Impact

There is no deadline when swapping tokens using EvolvingProteus. Swaps that are done through low gas transactions may be stuck in the mempool for a long time, resulting in unfavourable swap.

Proof of Concept

Evolving prometeus seems like an upgrade to uniswapv3 and its primarily for dutch auctions and dynamic pools. This means that they have a swap feature as well, but the swap feature doesn't have a deadline check attached. When transactions are performed using the shell protocol, if there is a huge inflow of transactions in the blockchain, the transaction might stay dormant in the mempool for awhile, and will result in unfavourable swap.

    function swapGivenInputAmount(
        uint256 xBalance,
        uint256 yBalance,
        uint256 inputAmount,
        SpecifiedToken inputToken
    ) external view returns (uint256 outputAmount) {
//@audit there is no instance of checking the deadline here
        // input amount validations against the current balance
        require(
            inputAmount < INT_MAX && xBalance < INT_MAX && yBalance < INT_MAX
        );

        _checkAmountWithBalance(
            (inputToken == SpecifiedToken.X) ? xBalance : yBalance,
            inputAmount
        );

        int256 result = _swap(
            FEE_DOWN,
            int256(inputAmount),
            int256(xBalance),
            int256(yBalance),
            inputToken
        );
        // amount cannot be less than 0
        require(result < 0);

        // output amount validations against the current balance
        outputAmount = uint256(-result);
        _checkAmountWithBalance(
            (inputToken == SpecifiedToken.X) ? yBalance : xBalance,
            outputAmount
        );
    }

Tools Used

Manual Review

Recommended Mitigation Steps

UniswapV3 has the checkDeadline function to make sure that transactions will auto revert after passing a certain deadline to prevent unfavourable swaps.

 function exactInputSingle(ExactInputSingleParams calldata params)
        external
        payable
        override
->      checkDeadline(params.deadline)
        returns (uint256 amountOut)
    {

https://etherscan.io/address/0xe592427a0aece92de3edee1f18e0157c05861564#code

Assessed type

Timing

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as low quality report

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as duplicate of #10

c4-judge commented 1 year ago

JustDravee marked the issue as unsatisfactory: Invalid