Lines of code
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L200>
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L260>
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L301>
Not allowing users to supply their own deadline could potentially expose them to sandwich attacks
Consider the following scenario:
if ((fee0 * 100 > bal0 ) && (fee1 * 100 > bal1)) {
TOKEN0.token.safeIncreaseAllowance(address(POS_MGR), fee0);
TOKEN1.token.safeIncreaseAllowance(address(POS_MGR), fee1);
(uint128 newLiquidity, uint256 added0, uint256 added1) = POS_MGR.increaseLiquidity(
INonfungiblePositionManager.IncreaseLiquidityParams({
tokenId: tokenId,
amount0Desired: fee0,
amount1Desired: fee1,
amount0Min: 0, //@audit
amount1Min: 0,
deadline: block.timestamp //@audit
})
In claimFee function of TokenisableRange.sol, User is claiming fee but it does not allow user to include a deadline check and it is hardcoded to block.timestamp.
deadline: block.timestamp
In claimFee function of TokenisableRange.sol, user is claiming fee but the deadline parameter is simply passed in as current block.timestamp in which transaction occurs. This effectively means that transaction has no deadline, which means that the transaction may be included anytime by validators and remain pending in mempool, potentially exposing users to sandwich attacks by attackers or MEV bots.
Alice wants to swap 30 BNB token for 1 BNB and later sell the 1 BNB for 300 DAI. She signs the transaction calling TalosBaseStrategy.redeem() with inputAmount = 30 vBNB and amountOutmin = 0.99 BNB (1$ slippage).
The transaction is submitted to the mempool, however, Alice chose a transaction fee that is too low for validators to be interested in including her transaction in a block. The transaction stays pending in the mempool for extended periods, which could be hours, days, weeks, or even longer.
When the average gas fee dropped far enough for Aliceβs transaction to become interesting again for miners to include it, her swap will be executed. In the meantime, the price of BNB could have drastically decreased. She will still at least get 0.99 BNB due to amountOutmin, but the DAI value of that output might be significantly lower. She has unknowingly performed a bad trade due to the pending transaction she forgot about.
An even worse way this issue can be maliciously exploited is through MEV:
Manual Review
Allow users to supply their own deadline parameter within In init() function.
Timing
The text was updated successfully, but these errors were encountered:
All reactions