Missing deadline checks allow pending transactions to be maliciously executed
Summary
Missing deadline checks allow pending transactions to be maliciously executed
Vulnerability Detail
The BaseStakingVault contract does not allow users to submit a deadline for their action. This missing feature enables pending transactions to be maliciously executed at a later point.
Contract should provide their users with an option to limit the execution of their pending actions, such as while redeeming. The most common solution is to include a deadline timestamp as a parameter (for example see Uniswap V2). If such an option is not present, users can unknowingly perform bad trades.
Without an expiration deadline, a malicious miner/validator can hold a transaction until they favor it or they can make a profit
Impact
Pending transactions can be maliciously executed at a later point causing damage to users.
Without an expiration deadline, a malicious miner/validator can hold a transaction until they favor it or they can make a profit.
smbv-1923
Medium
Missing deadline checks allow pending transactions to be maliciously executed
Summary
Missing deadline checks allow pending transactions to be maliciously executed
Vulnerability Detail
BaseStakingVault
contract does not allow users to submit a deadline for their action. This missing feature enables pending transactions to be maliciously executed at a later point.Impact
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L170 https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L136 https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L197
Tool used
Manual Review
Recommendation
The most common solution is to include a deadline timestamp as a parameter (for example see Uniswap V2)
Duplicate of #79