search

hats-finance / Fenix--0x9d7765a7ebd5b6322a30797a44a5428531970d3d

0 stars 1 forks source link

token to token route is not protected by slippage #6

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x585ac69239a638306d7ee8c13bf5292219124506c12a931887c5ed2176e852ce Severity: high

Description:

Description

inside RouterV2PathProviderUpgradeable.sol there is a function named getOptimalTokentoTokenRoute:

 /**
     * @notice Determines the optimal route and expected output amount for a token pair given an input amount
     * @dev Searches through all possible routes to find the one that provides the highest output amount
     *
     * @param inputToken_ The address of the input token
     * @param outputToken_ The address of the output token
     * @param amountIn_ The amount of input tokens to trade
     * @return A tuple containing the optimal route and the amount out
     */
    function getOptimalTokenToTokenRoute(
        address inputToken_,
        address outputToken_,
        uint256 amountIn_
    ) external view returns (IRouterV2.route[] memory, uint256 amountOut) {
        IPairFactory factoryCache = IPairFactory(factory);
        IRouterV2 routerCache = IRouterV2(router);

        IRouterV2.route[][] memory routesTokenToToken = _getRoutesTokenToToken(inputToken_, outputToken_);

        uint256 index;
        uint256 bestMultiRouteAmountOut;

        for (uint256 i; i < routesTokenToToken.length; ) {
            if (
                factoryCache.getPair(routesTokenToToken[i][0].from, routesTokenToToken[i][0].to, routesTokenToToken[i][0].stable) !=
                address(0)
            ) {
                try routerCache.getAmountsOut(amountIn_, routesTokenToToken[i]) returns (uint256[] memory amountsOut) {
                    if (amountsOut[2] > bestMultiRouteAmountOut) {
                        bestMultiRouteAmountOut = amountsOut[2];
                        index = i;
                    }
                } catch {}
            }
            unchecked {
                i++;
            }
        }

//..Ommitted code

This function simply determines the optimal route and expected output amount for a token pair with the given amount.

The function will go through all possible routes and select the best route and does so by checking the routesTokenToToken array and looking at certain features such as stability.

The problem however is that this process is not protected by any slippage. In a case where the value of 1 token drops the user will not be protected by any slippage set OR a parameter that specifies the minAmount a user should receive.

Because of this users can lose out on funds whenever committing to such a trade, unknowingly since no slippage is enforced

Recommendation

introduce a slippage enforcement just like the buyback contract

0xmahdirostami commented 2 months ago

https://github.com/Satsyxbt/Fenix/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/SingelTokenBuybackUpgradeable.sol#L117 https://github.com/Satsyxbt/Fenix/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/SingelTokenBuybackUpgradeable.sol#L161 https://github.com/Satsyxbt/Fenix/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/SingelTokenBuybackUpgradeable.sol#L171

Invalid

whoismxuse commented 2 months ago

agreed, oversight on my end.

0xmahdirostami commented 2 months ago

@whoismxuse thanks