Unitas contract will call _checkPrice(address quoteToken, uint256 price) function to ensure the price is between the _minPriceTolerance and _maxPriceTolerance, so user will not get a bad trade.
However, because the exchange rate of a token pair may vary between the moment the user submits the swap transaction and when it's executed, the _minPriceTolerance and _maxPriceTolerance may also be updated before the execution of the user's transaction, if it is in that case, user will lose price protection from the _minPriceTolerance and _maxPriceTolerance and lose funds.
For example, a user submits transaction to swap 1000 USD91 for USD1, at the moment the USD91/USD1 rate is 0.012, then the user should get 12 USD1 in return. If USD91 depreciates and the exchange rate becomes 0.01, the _minPriceTolerance and _maxPriceTolerance will be updated accordingly, user may eventually gets 10 USD1 and suffer a loss of 2 USD1.
Impact
Large exchange rate fluctuation can lead to loss of funds for the user.
Recommend to add a slippage protection in the swap(address tokenIn, address tokenOut, AmountType amountType, uint256 amount) function, this can be done by adding a maxAmountIn and minAmountOut variables in the call and checking if the returned USSD amount is above it or not.
Jiamin
medium
Unitas contract executes swaps without proper slippage protection
Summary
The Unitas contract executes swaps without proper slippage protection, this puts user at risk of losing funds.
Vulnerability Detail
The swap(address tokenIn, address tokenOut, AmountType amountType, uint256 amount) inside Unitas contract does not implement slippage protection when swapping tokens.
Unitas contract will call _checkPrice(address quoteToken, uint256 price) function to ensure the price is between the
_minPriceTolerance
and_maxPriceTolerance
, so user will not get a bad trade.However, because the exchange rate of a token pair may vary between the moment the user submits the swap transaction and when it's executed, the
_minPriceTolerance
and_maxPriceTolerance
may also be updated before the execution of the user's transaction, if it is in that case, user will lose price protection from the_minPriceTolerance
and_maxPriceTolerance
and lose funds.For example, a user submits transaction to swap 1000
USD91
forUSD1
, at the moment the USD91/USD1 rate is 0.012, then the user should get 12 USD1 in return. If USD91 depreciates and the exchange rate becomes 0.01, the_minPriceTolerance
and_maxPriceTolerance
will be updated accordingly, user may eventually gets 10 USD1 and suffer a loss of 2 USD1.Impact
Large exchange rate fluctuation can lead to loss of funds for the user.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/Unitas.sol#L208-L208
Tool used
Manual Review
Recommendation
Recommend to add a slippage protection in the
swap(address tokenIn, address tokenOut, AmountType amountType, uint256 amount)
function, this can be done by adding amaxAmountIn
andminAmountOut
variables in the call and checking if the returned USSD amount is above it or not.Duplicate of #88