sellBase() and sellQuote() functions doesn't handle the slippage check which can leads to loss of user funds
Summary
in GSPTrader.sol i found that the swap functions i.e sellBase() and sellQuote() functions are not handling the slippage check which can lead to slippage attack,in such case user can lose funds/tokens
Vulnerability Detail
GSPTrader.sol handles the swap.it has two functions for swap i.e sellBase() and sellQuote() which returns quote token and vice versa.but here, this functions are missing the slippage check which can leads to loss of user funds(refer POC).contract should allow users to specify a slippage parameter like minTokensOut minimum amount of output tokens to be received from the swap, such that the swap will revert if it wouldn't return the user-specified minimum amount of output tokens.
POC
->Alice initiates a transaction to sell a large amount of base tokens. The transaction is broadcasted to the Ethereum network but is not yet included in a block.
-> Bob, an attacker, sees Alice's transaction in the mempool. Bob creates a transaction to buy a large amount of base tokens, effectively increasing the price of the base token. Bob sets a higher gas price for his transaction to ensure it gets mined before Alice's transaction.
-> Bob's transaction is mined first, increasing the price of the base token.
-> Alice's transaction is then mined. However, because the price of the base token has increased, Alice receives less quote tokens than she expected.
-> Bob then sells the base tokens he bought, profiting from the price increase caused by Alice's transaction.
Impact
Trades can happen at a bad price and lead to receiving fewer tokens than at a fair market price. The attacker's profit is the protocol's loss
Ragnark_323
high
sellBase() and sellQuote() functions doesn't handle the slippage check which can leads to loss of user funds
Summary
in GSPTrader.sol i found that the swap functions i.e sellBase() and sellQuote() functions are not handling the slippage check which can lead to slippage attack,in such case user can lose funds/tokens
Vulnerability Detail
GSPTrader.sol handles the swap.it has two functions for swap i.e
sellBase()
andsellQuote()
which returns quote token and vice versa.but here, this functions are missing the slippage check which can leads to loss of user funds(refer POC).contract should allow users to specify a slippage parameter likeminTokensOut
minimum amount of output tokens to be received from the swap, such that the swap will revert if it wouldn't return the user-specified minimum amount of output tokens.POC
->Alice initiates a transaction to sell a large amount of base tokens. The transaction is broadcasted to the Ethereum network but is not yet included in a block. -> Bob, an attacker, sees Alice's transaction in the mempool. Bob creates a transaction to buy a large amount of base tokens, effectively increasing the price of the base token. Bob sets a higher gas price for his transaction to ensure it gets mined before Alice's transaction. -> Bob's transaction is mined first, increasing the price of the base token. -> Alice's transaction is then mined. However, because the price of the base token has increased, Alice receives less quote tokens than she expected. -> Bob then sells the base tokens he bought, profiting from the price increase caused by Alice's transaction.
Impact
Trades can happen at a bad price and lead to receiving fewer tokens than at a fair market price. The attacker's profit is the protocol's loss
Code Snippet
SellBase()
SellQuote()
Tool used
Manual Review
Recommendation
Recommend adding a minimum amount out parameter. The function should revert if the minimum amount isn’t obtained.
Duplicate of #15