Skip to content

Latest commit

 

History

History
41 lines (32 loc) · 1.37 KB

029.md

File metadata and controls

41 lines (32 loc) · 1.37 KB

dacian

high

USSDRebalancer.rebalance() calls USSD.UniV3SwapInput() exposed to unlimited slippage

Summary

USSDRebalancer.rebalance() is exposed to unlimited slippage when it calls USSD.UniV3SwapInput().

Vulnerability Detail

USSDRebalancer.rebalance() can call either BuyUSSDSellCollateral() or SellUSSDBuyCollateral(). Both of these functions call USSD.UniV3SwapInput() which executes a swap with unlimited slippage:

function UniV3SwapInput(
	bytes memory _path,
	uint256 _sellAmount
) public override onlyBalancer {
	IV3SwapRouter.ExactInputParams memory params = IV3SwapRouter
		.ExactInputParams({
			path: _path,
			recipient: address(this),
			//deadline: block.timestamp,
			amountIn: _sellAmount,
			amountOutMinimum: 0 //@audit - unlimited slippage
		});
	uniRouter.exactInput(params);
}

This is a swap with No Slippage Parameter & No Expiration Deadline.

Impact

USSDRebalancer.rebalance() exposed to unlimited slippage, vulnerable to exploitation by sandwich attacks.

Code Snippet

See above

Tool used

Manual Review

Recommendation

Use a valid slippage parameter and optionally an expiration timestamp.