search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

4b - Using `block.timestamp` for deadline offers no protection #112

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

4b

Medium

Using block.timestamp for deadline offers no protection

Summary

Block.timestamp is being used as a deadline, which offers no real protection since it will have the value of the block the miners mine it to.. This means the miner can insert these transactions to the block anytime he chooses which can make it unfavorable.

Vulnerability Detail

In _redeemFromNotional, _executeInstantRedemption, _stakeTokens, _sellStakedUSDe, _stakeTokens &_executeInstantRedemption functions we can find a deadline within a Trade block setting the deadline to block.timestamp which is not effective considering how the blockchain works

Impact

Block.timestamp offers no real protection,

Code Snippet

This block of code is found in all the functions mentioned above 

Trade memory trade = Trade({
                tradeType: TradeType.EXACT_IN_SINGLE,
                sellToken: BORROW_TOKEN,
                buyToken: address(USDe),
                amount: depositUnderlyingExternal,
                limit: params.minPurchaseAmount,
                //@audit ineffective
                deadline: block.timestamp,
                exchangeData: params.exchangeData
            });

Tool used

Manual Review

Recommendation

Implement a proper deadline logic either it will be an input param or better

Duplicate of #79