search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

the-first-elder - Risk of token loss due to unchecked minAmoutOut vulnerability #71

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

the-first-elder

medium

Risk of token loss due to unchecked minAmoutOut vulnerability

Summary

Unchecked minAmountOut set by the user can be arbitrarily low, for example 0 or 1, which poses a significant risk of losing tokens if minAmountOut is required to be paid to them.

Vulnerability Detail

Unchecked minAmountOut set by the user can be arbitrarily low, even down to 0 or 1, which effectively bypasses any high slippage checks, exposing the system to potential exploitation. Based on the code snipet below the expression will always be false provided quotedAmount is greater than minAmountOut.

Impact

Users are at risk of losing their tokens if minAmountOut needs to be paid to them due to the unchecked and potentially low value set by the user.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L83

Tool used

Manual Review

Recommendation

Consider using the quotedAmount as the minAmountOut for the user to mitigate the risk of exploitation and potential loss of tokens.

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 8 months ago

Invalid, user input error not valid based on sherlock rules. It is their responsibility to set appropriate slippage parameters. If they desire no slippage, then it is their responsibility