c4-pre-sort
commented
11 months ago DadeKuma marked the issue as duplicate of #122
Closed c4-bot-8 closed 11 months ago
c4-pre-sort
commented
11 months ago DadeKuma marked the issue as duplicate of #122
c4-pre-sort
commented
11 months ago DadeKuma marked the issue as insufficient quality report
c4-judge
commented
10 months ago 0xean changed the severity to QA (Quality Assurance)
c4-judge
commented
10 months ago 0xean marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L111 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L136 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L171 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol#L87 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol#L115 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol#L153
Vulnerability details
Impact
Loss of fund due to sandwich attack at maximum slippage in turbulent market condition.
Proof of Concept
The main issue is that the deadline is set with a dynamic value
block.timestamp. Let's remove theMAX_DEADLINEadded to the block.timestamp for simplicity for now.The
block.timestampwill always be the block.timestamp at any time of execution. The block.timestamp is not a fixed unix time so calculate deadline offchain and pass it as a parameter.To calculate the deadline, get the current block.timestamp offchain which is
1702501995at the time of writting this report then add how many seconds more you want the transaction to be valid from now. Let's say 10 mins more before the transaction reverts. Then add 10mins to the current block.timestamp then pass theliteralvalue as input.So pass
1702501995as deadline.The main takeaway here is that
1702501995passed to the swap function as deadline is afixedunix time in future(10mins) butblock.timestampisdynamicthat depends on the time of execution.Below is the modifier used to check if the deadline has passed.
When you pass
block.timestampas the input above modifier then you will be checking theblock.timestampagainstblock.timestampany time the transaction is executed making the deadline check useless.This allows miners to "save the tx for later" when there will be maximum slippage and MEV gains through frontrunning bots.
The Uniswap docs defines
deadlineas "the unix time after which a transaction will be reverted, to protect against long delays and the increased chance of large price swings therein" ref: https://docs.uniswap.org/contracts/v3/guides/swaps/single-swaps#swap-input-parametersSo
deadlineshould be passed as input just like the minimum output.Tools Used
Uniswap checkdeadline modifier https://github.com/Uniswap/v3-periphery/blob/697c2474757ea89fec12a4e6db16a574fe259610/contracts/base/PeripheryValidation.sol
Recommended Mitigation Steps
The deadline literal should be gotten offchain and passed as input parameter. For example the current block timestamp at the time of this report is
1702501395.So if a user wants the transaction to be invalid after 10mins. Convert 10mins to seconds and add to the current timestamp. 1702501395 + (10 * 60) = 1702501995.
The
deadlinethat should be passed to the function is1702501995.1702501995is a fixed literal and would make the transaction revert when the block.timestamp exceeds this fixed timestamp literal.Assessed type
MEV