Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 105/246
Findings: 1
Award: $40.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: brgltd
Also found by: 0xbepresent, 0xepley, 0xnev, BPZ, Breeje, Polaris_tow, SadBase, SaeedAlipoor01988, eyexploit, ladboy233, latt1ce, peanuts, rbserver
40.6368 USDC - $40.64
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L91 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L101
The SafEth.sol Contract does not allow users to submit a deadline for their actions on deposit. This missing feature enables pending transactions to be maliciously executed later on.
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L91 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L101
AMMs give users the ability to restrict the execution of their pending actions, such as adding or removing liquidity, or making swaps. The most common way to do this is by specifying a deadline timestamp as a parameter, as seen in Uniswap V2 and V3. Without this option, users may unintentionally execute bad trades. For instance, if Alice wants to swap 100 tokens for 1 ETH, and then sell the ETH for 1000 DAI, but chooses a transaction fee that is too low for miners to include her transaction in a block, her transaction will remain pending for an extended period. By the time her transaction is executed, the price of ETH may have significantly changed, resulting in a bad trade. Moreover, a malicious actor could exploit this situation through MEV. If the maximum slippage value is outdated, a MEV bot could sandwich Alice, leading to significant losses for her.
SafEth, which uses the RocketPool contract that uses Uniswap V3 to swap to Reth, should also offer deadline parameters to users when making swaps. However, currently, there is no such option available. Although some functions like deposit are somewhat protected by the minOut parameter, unfavorable trades are still possible. When users want to deposit, the function loops through all derivative contracts and swaps. If the function context is in Reth.sol contract, without a deadline, the user may have to wait a long time for the swap to go through if her transaction is not processed.
Manual Review
Introduce to a deadline parameter to all functions which could potentially perform a swap on the user's behalf.
#0 - c4-pre-sort
2023-04-04T14:50:08Z
0xSorryNotSorry marked the issue as duplicate of #1087
#1 - c4-judge
2023-04-22T10:18:41Z
Picodes marked the issue as satisfactory