This repository has been archived by the owner on Dec 17, 2023. It is now read-only.
ni8mare - No slippage protection in swap functions of UniswapExtension.sol #477
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
ni8mare
medium
No slippage protection in swap functions of UniswapExtension.sol
Summary
There are no checks for slippage protection for users when
uniV3ExactInputInternal
is used.Vulnerability Detail
The function
uniV3ExactInputInternal
performs swap using the uniswapV3 swap function. This swap function takesrecipient
,zeroForOne
,amountSpecified
,sqrtPriceLimitX96
,data
as its parameters.But, the problem arises here when
sqrtPriceLimitX96
(represents the square root of the lowest or highest price that you are willing to perform the trade at) is hard coded toTickMath.MAX_SQRT_RATIO - 1
orTickMath.MIN_SQRT_RATIO + 1
, meaning that we are willing to take the worst possible rate (highest price in the event we are trading 1 => 0; lowest price in the event we are trading 0 => 1) and hence a user is susceptible to slippage.Impact
As there is no slippage protection, users can get tokens lower than expected and can also be subjected to frontrunning attacks.
Code Snippet
In
uniV3ExactInputInternal
:Tool used
Manual Review
Recommendation
Make the user input a slippage parameter instead of hardcoding values to ensure that the amount of token they receive back from Uniswap is in line with what they expect. Please check this issue
The text was updated successfully, but these errors were encountered: