You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deadline cannot be block.timestamp in VaultLib::_redeemCtDsAndSellExcessCt
Summary
on line 345 of VaultLib::_redeemCtDsAndSellExcessCt, the function swapExactTokensForTokens() is called but the deadline parameter of the function is initialised to block.timestamp which offers no protection
Root Cause
on line 345 the deadline param of the swapExactTokensForTokens is being initialised to block.timestamp
Internal pre-conditions
whenever user calls redeemEarlyLv in the vault contract.
External pre-conditions
No external pre-con
Attack Path
When user calls redeemEarlyLv
Then it makes a call to the vaultlib redeemEarly using the current state storage
A call is made to _liquidateLpPartial
then we try to _redeemCtDsAndSellExcessCt
in _redeemCtDsAndSellExcessCt a call is made to ammRouter.swapExactTokensForTokens.
which makes an external call to uniswaps router v2 with the provided data
Impact
There is no real protection or deadline
PoC
looking into the function the problem is from this line ra += ammRouter.swapExactTokensForTokens(ctSellAmount, 0, path, address(this),block.timestamp)[1];
which intend makes a swapExactTokensForTokens call to an amm router which is uniswapV2's router02, which looks like this;
so evaluating when you have a deadline of block.timestamp, we can confirm deadline will never be reached, because block.timestamp == block.timestamp always.
Mitigation
Add a real deadline either a user passed in timestamp or any other implementation
sherlock-admin3
changed the title
Eager Inky Perch - Deadline cannot be block.timestamp in VaultLib::_redeemCtDsAndSellExcessCt
4b - Deadline cannot be block.timestamp in VaultLib::_redeemCtDsAndSellExcessCtSep 25, 2024
4b
Medium
Deadline cannot be block.timestamp in
VaultLib::_redeemCtDsAndSellExcessCt
Summary
on line 345 of
VaultLib::_redeemCtDsAndSellExcessCt
, the functionswapExactTokensForTokens()
is called but the deadline parameter of the function is initialised to block.timestamp which offers no protectionRoot Cause
on line 345 the
deadline
param of theswapExactTokensForTokens
is being initialised to block.timestampInternal pre-conditions
whenever user calls
redeemEarlyLv
in the vault contract.External pre-conditions
No external pre-con
Attack Path
redeemEarlyLv
redeemEarly
using the current state storage_redeemCtDsAndSellExcessCt
a call is made toammRouter.swapExactTokensForTokens
.Impact
There is no real protection or deadline
PoC
looking into the function the problem is from this line
ra += ammRouter.swapExactTokensForTokens(ctSellAmount, 0, path, address(this),block.timestamp)[1];
which intend makes a
swapExactTokensForTokens
call to an amm router which is uniswapV2's router02, which looks like this;so as we can see, in the function declaration there is an ensure modifier which makes sure the deadline has not passed.
so evaluating when you have a deadline of block.timestamp, we can confirm deadline will never be reached, because block.timestamp == block.timestamp always.
Mitigation
Add a real deadline either a user passed in timestamp or any other implementation
Duplicate of #66
The text was updated successfully, but these errors were encountered: