Assessment reports>Fractal Protocol>High findings>Lack of slippage checks on DEX swaps
Category: Business Logic

Lack of slippage checks on DEX swaps

High Severity
High Impact
High Likelihood

Description

In many separate areas of the project, interactions and swaps with Uniswap are handled through DexLibrary. There is no slippage check on these interactions and are thus vulnerable to market manipulation.

function swap(
		uint256 amountIn,
		address fromToken,
		address toToken,
		IPair pair
	) internal returns (uint256) {
		(address token0, ) = sortTokens(fromToken, toToken);
		(uint112 reserve0, uint112 reserve1, ) = pair.getReserves();
		if (token0 != fromToken) (reserve0, reserve1) = (reserve1, reserve0);
		uint256 amountOut1 = 0;
		uint256 amountOut2 = getAmountOut(amountIn, reserve0, reserve1);
		if (token0 != fromToken)
			(amountOut1, amountOut2) = (amountOut2, amountOut1);
		safeTransfer(fromToken, address(pair), amountIn);
		pair.swap(amountOut1, amountOut2, address(this), ZERO_BYTES);
		return amountOut2 > amountOut1 ? amountOut2 : amountOut1;
}

Impact

Due the nature of most of the vulnerable methods being onlyOwner or onlyAdmin, the quantity of funds accumulated would be rather large along with the swap amount. An attacker could sandwich the the swap transaction, artificially inflating the spot price and profiting off the manipulated market conditions when the swap executes.

Recommendations

Set the default slippage to 0.5% for Uniswap, customizable for bigger trades.

Remediation

The issue has been acknowledged by Fractal.

Zellic © 2024Back to top ↑