code-423n4 / 2024-05-predy-findings

10 stars 9 forks source link

Interactions with AMMs do not use deadlines for operations #154

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/./src/settlements/UniswapSettlement.sol#L50-L50 https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/./src/settlements/UniswapSettlement.sol#L34-L34

Vulnerability details

Impact

Interactions with AMMs do not use deadlines for operations

Most of the functions that interact with AMM pools do not have a deadline parameter, but specifically the one shown below is passing block.timestamp to a pool, which means that whenever the miner decides to include the txn in a block, it will be valid at that time, since block.timestamp will be the current timestamp. A malicious miner can hold the transaction, which may be being done in order to free up capital to ensure that there are funds available to do operations to prevent a liquidation. It is highly likely that a liquidation is more profitable for a miner to mine, with its associated follow-on transactions, than to allow the decrease of liquidity. A miner can also just hold it until maximum slippage is incurred, as the judge stated.

Path: ./src/settlements/UniswapSettlement.sol

34:            ISwapRouter.ExactInputParams(data, recipient, block.timestamp, amountIn, amountOutMinimum)   // @audit-issue

50:            ISwapRouter.ExactOutputParams(data, recipient, block.timestamp, amountOut, amountInMaximum)  // @audit-issue

Tools Used

prepwn

Recommended Mitigation Steps

Add deadline arguments to all functions that interact with AMMs, and pass it along to AMM calls.

Assessed type

Other

c4-judge commented 4 months ago

alex-ppg marked the issue as unsatisfactory: Invalid