The referenced statement will utilize the IQuoterV2 implementation to query the output of a particular swap, however, this mechanism is insecure as it will simply simulate the trade in on-chain conditions and thus not protect against slippage.
Impact:
The amount of tokens swapped in the RoyaltyHandler::_swapTokensForETH function is susceptible to arbitrage as it uses an insecure output measurement mechanism.
Example:
/**
* @notice This internal method takes `tokenAmount` of tokens and swaps it for ETH.
* @param tokenAmount Amount of $RWA tokens being swapped/sold for ETH.
*/
function _swapTokensForETH(uint256 tokenAmount) internal {
// a. Get quote
IQuoterV2.QuoteExactInputSingleParams memory quoteParams = IQuoterV2.QuoteExactInputSingleParams({
tokenIn: address(rwaToken),
tokenOut: address(WETH),
amountIn: tokenAmount,
fee: poolFee,
sqrtPriceLimitX96: 0
});
(uint256 amountOut,,,) = quoter.quoteExactInputSingle(quoteParams);
// b. build swap params
ISwapRouter.ExactInputSingleParams memory swapParams = ISwapRouter.ExactInputSingleParams({
tokenIn: address(rwaToken),
tokenOut: address(WETH),
fee: poolFee,
recipient: address(this),
deadline: block.timestamp,
amountIn: tokenAmount,
amountOutMinimum: amountOut,
sqrtPriceLimitX96: 0
});
// c. swap
rwaToken.approve(address(swapRouter), tokenAmount);
uint256 preBal = WETH.balanceOf(address(this));
swapRouter.exactInputSingle(swapParams);
require(preBal + amountOut == WETH.balanceOf(address(this)), "RoyaltyHandler: Insufficient WETH received");
}
Recommendation:
We advise the code to utilize a user-provided minimum output value, or to utilize a decentralized price measurement mechanism (i.e. TWAP / Oracle) to ensure that the trade performed by the RoyaltyHandler::_swapTokensForETH function is secure against arbitrage attacks.
RHR-02M: Insecure Trade Output Measurement
Description:
The referenced statement will utilize the
IQuoterV2
implementation to query the output of a particular swap, however, this mechanism is insecure as it will simply simulate the trade in on-chain conditions and thus not protect against slippage.Impact:
The amount of tokens swapped in the
RoyaltyHandler::_swapTokensForETH
function is susceptible to arbitrage as it uses an insecure output measurement mechanism.Example:
Recommendation:
We advise the code to utilize a user-provided minimum output value, or to utilize a decentralized price measurement mechanism (i.e. TWAP / Oracle) to ensure that the trade performed by the
RoyaltyHandler::_swapTokensForETH
function is secure against arbitrage attacks.