code-423n4 / 2024-05-predy-findings

10 stars 9 forks source link

Missing deadlines in swap functions #123

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/settlements/UniswapSettlement.sol#L22-L56

Vulnerability details

Summary

The swapExactIn and swapExactOut functions in uniswapsettlement.sol lack a deadline parameter for execution.

Impact

Without a deadline parameter, transactions are vulnerable to delays in blockchain processing. This exposes users to significant financial risks due to potential market price fluctuations during transactions that take long to execute. Users may experience unexpected losses if market prices move unfavorably while their transactions await processing, undermining the effectiveness of any set slippage thresholds

Proof of Concept

function swapExactIn(
        address,
        address baseToken,
        bytes memory data,
        uint256 amountIn,
        uint256 amountOutMinimum,
        address recipient
    ) external override returns (uint256 amountOut) {
        ERC20(baseToken).safeTransferFrom(msg.sender, address(this), amountIn);
        ERC20(baseToken).approve(address(_swapRouter), amountIn);

        amountOut = _swapRouter.exactInput(
            ISwapRouter.ExactInputParams(data, recipient, block.timestamp, amountIn, amountOutMinimum)
        );
    }

    function swapExactOut(
        address quoteToken,
        address,
        bytes memory data,
        uint256 amountOut,
        uint256 amountInMaximum,
        address recipient
    ) external override returns (uint256 amountIn) {
        ERC20(quoteToken).safeTransferFrom(msg.sender, address(this), amountInMaximum);
        ERC20(quoteToken).approve(address(_swapRouter), amountInMaximum);

        amountIn = _swapRouter.exactOutput(
            ISwapRouter.ExactOutputParams(data, recipient, block.timestamp, amountOut, amountInMaximum)
        );

        if (amountInMaximum > amountIn) {
            ERC20(quoteToken).safeTransfer(msg.sender, amountInMaximum - amountIn);
        }
    }

Tools Used

Manual code Review

Recommended Mitigation Steps

Introduce a deadline parameter in both swapExactIn and swapExactOut functions to specify the maximum permissible time for the transaction to execute.

Assessed type

Other

c4-judge commented 4 months ago

alex-ppg marked the issue as unsatisfactory: Invalid