the swap function is subject to MEV bundle since it does not have slippage proportional to trrade size, but just a fixed fee.
Summary
the swap function is subject to MEV bundle since it does not have slippage proportional to trade size, but just a fixed fee.
Vulnerability Detail
The protocol allows swapping from USD1 to USDEMC, namely emerging market currencies like indian Rupee, whose prices would be updated in XOracle. Price volatility in these EM currencies are inherently higher. During the swap, USDEMC would be minted to the trader who send in USD1, and the output amount is calculated by _calculateSwapResultByAmountIn.
However, in this function, the output just consider a fixed fee and the price from the oracle, without considering ReserveSize relative to tradeSize to incur slippage. This is problematic since if there is a price update that is big enough to cover fee x 2, MEV searcher could bundle the oracle update into a sandwich attack and profit from the entire available swappable size..
0xGoodess
medium
the swap function is subject to MEV bundle since it does not have slippage proportional to trrade size, but just a fixed fee.
Summary
the swap function is subject to MEV bundle since it does not have slippage proportional to trade size, but just a fixed fee.
Vulnerability Detail
The protocol allows swapping from USD1 to USDEMC, namely emerging market currencies like indian Rupee, whose prices would be updated in XOracle. Price volatility in these EM currencies are inherently higher. During the swap, USDEMC would be minted to the trader who send in USD1, and the output amount is calculated by
_calculateSwapResultByAmountIn
.However, in this function, the output just consider a fixed fee and the price from the oracle, without considering ReserveSize relative to tradeSize to incur slippage. This is problematic since if there is a price update that is big enough to cover
fee x 2
, MEV searcher could bundle the oracle update into a sandwich attack and profit from the entire available swappable size.._calculateSwapResultByAmountIn(SwapRequest memory request)
Impact
TradingPairs with volatile price and centralized oracle are traded without slippage relative to pool size is subject to MEV.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/SwapFunctions.sol#L41-L75
Tool used
Manual Review
Recommendation
Incur dynamic slippage that is based on trade size as a percentage of total reserve.
Duplicate of #88