You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 24, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Missing deadline checks allow pending transactions to be maliciously executed
Summary
USSD#UniV3SwapInput does not allow the balancer to specify a deadline for their transaction, enabling pending transactions to be maliciously executed at a later point.
Vulnerability Detail
AMMs provide their users with an option to limit the execution of their pending actions, such as swaps or adding and removing liquidity. The most common solution is to include a deadline timestamp as a parameter (for example see Uniswap V2 and Uniswap V3). If such an option is not present, users can unknowingly perform bad trades.
Alice wants to swap 100 tokens for 1 ETH and later sell the 1 ETH for 1000 DAI.
The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for miners to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer.
When the average gas fee dropped far enough for Alice's transaction to become interesting again for miners to include it, her swap will be executed. In the meantime, the price of ETH could have drastically changed. She will still get 1 ETH but the DAI value of that output might be significantly lower. She has unknowingly performed a bad trade due to the pending transaction she forgot about.
An even worse way this issue can be maliciously exploited is through MEV:
The swap transaction is still pending in the mempool. Average fees are still too high for miners to be interested in it. The price of tokens has gone up significantly since the transaction was signed, meaning Alice would receive a lot more ETH when the swap is executed. But that also means that her maximum slippage value is outdated and would allow for significant slippage.
A MEV bot detects the pending transaction. Since the outdated maximum slippage value now allows for high slippage, the bot sandwiches Alice, resulting in significant profit for the bot and significant loss for Alice.
Impact
Since USSD#UniV3SwapInput interacts directly with UniswapV3, a deadline parameter should be used instead of ignored, so that a rebalancing does not result in a significant loss of funds.
Code Snippet
function UniV3SwapInput(
bytesmemory_path,
uint256_sellAmount
) publicoverride onlyBalancer {
IV3SwapRouter.ExactInputParams memory params = IV3SwapRouter
.ExactInputParams({
path: _path,
recipient: address(this),
//deadline: block.timestamp, // @audit should be used
amountIn: _sellAmount,
amountOutMinimum: 0
});
uniRouter.exactInput(params);
}
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Madalad
medium
Missing deadline checks allow pending transactions to be maliciously executed
Summary
USSD#UniV3SwapInput
does not allow the balancer to specify a deadline for their transaction, enabling pending transactions to be maliciously executed at a later point.Vulnerability Detail
AMMs provide their users with an option to limit the execution of their pending actions, such as swaps or adding and removing liquidity. The most common solution is to include a deadline timestamp as a parameter (for example see Uniswap V2 and Uniswap V3). If such an option is not present, users can unknowingly perform bad trades.
An even worse way this issue can be maliciously exploited is through MEV:
Impact
Since
USSD#UniV3SwapInput
interacts directly with UniswapV3, adeadline
parameter should be used instead of ignored, so that a rebalancing does not result in a significant loss of funds.Code Snippet
https://github.com/USSDofficial/ussd-contracts/blob/f44c726371f3152634bcf0a3e630802e39dec49c/contracts/USSD.sol#L227-L240
Tool used
Manual Review
Recommendation
Use the
deadline
parameter when swapping via the Uniswap V3 pool inUSSD#UniV3SwapInput
.Duplicate of #673
The text was updated successfully, but these errors were encountered: