Assessment reportsPublic findings
Back to Zellic site
Assessment reports>IBC Eureka>Informational findings>Unchecked slippage may lead to sandwich attacks
GeneralOverview
Findings
Critical (3)
High (1)
Informational (1)Unchecked slippage may lead to sandwich attacks
DiscussionCentralization risks and trust assumptionsOne app could be registered with multiple ports
Threat ModelComponent: cs-ics08-wasm-ethComponent: sp1-programsComponent: SP1ICS07TendermintComponent: ICS20TransferComponent: ICS26RouterComponent: EurekaHandler
Audit ResultsAssessment Results
Category: Business Logic

Unchecked slippage may lead to sandwich attacks

Informational Severity
Informational Impact
N/A Likelihood

Description

The swapAndTransfer function in EurekaHandler allows users to swap a token to another token before transferring the output token via ics20. The swap is performed on the swapRouter using a low level call with the calldata swapCalldata. It is unclear how swapCalldata is created as it directly comes from the input and hence might contain the minimum amount of output tokens to be 0 or something less than expected.

Impact

Swaps could be sandwiched causing a loss of funds for users.

Recommendations

Slippage parameters should be verified in the calldata, or an additional min output amount could be added in swapAndTransfer which could be used to verify the amount after the swap.

Remediation

Zellic © 2025Back to top ↑