Category: Business Logic
Lack of slippage checks on DEX swaps
High Severity
High Impact
High Likelihood
Description
In many separate areas of the project, interactions and swaps with Uniswap are handled through DexLibrary. There is no slippage check on these interactions and are thus vulnerable to market manipulation.
function swap(
uint256 amountIn,
address fromToken,
address toToken,
IPair pair
) internal returns (uint256) {
(address token0, ) = sortTokens(fromToken, toToken);
(uint112 reserve0, uint112 reserve1, ) = pair.getReserves();
if (token0 != fromToken) (reserve0, reserve1) = (reserve1, reserve0);
uint256 amountOut1 = 0;
uint256 amountOut2 = getAmountOut(amountIn, reserve0, reserve1);
if (token0 != fromToken)
(amountOut1, amountOut2) = (amountOut2, amountOut1);
safeTransfer(fromToken, address(pair), amountIn);
pair.swap(amountOut1, amountOut2, address(this), ZERO_BYTES);
return amountOut2 > amountOut1 ? amountOut2 : amountOut1;
}
Impact
Due the nature of most of the vulnerable methods being onlyOwner
or onlyAdmin
, the quantity of funds accumulated would be rather large along with the swap amount. An attacker could sandwich the the swap transaction, artificially inflating the spot price and profiting off the manipulated market conditions when the swap executes.
Recommendations
Set the default slippage to 0.5% for Uniswap, customizable for bigger trades.
Remediation
The issue has been acknowledged by Fractal.