Platform: Code4rena
Start Date: 08/05/2023
Pot Size: $90,500 USDC
Total HM: 17
Participants: 102
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 236
League: ETH
Rank: 24/102
Findings: 1
Award: $732.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xnev
Also found by: 0xStalin, BugBusters, chaieth
731.996 USDC - $732.00
Protocols shouldn't set the deadline to block.timestamp as a validator can hold the transaction and the block it is eventually put into will be block.timestamp, so this offers no protection.
A malicious miner can hold the transaction, which may be done in order to free up capital to ensure that there are funds available to do operations to prevent a liquidation. It is highly likely that a liquidation is more profitable for a miner to mine, with its associated follow-on transactions, than to allow the decrease of liquidity. A miner can also just hold it until maximum slippage is incurred.
https://dacian.me/defi-slippage-attacks#heading-no-expiration-deadline https://twitter.com/0xOwenThurm/status/1614289583679868928?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1614289583679868928%7Ctwgr%5E55271315238a0ac7aed61ff53e7105981a6db1ee%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcdn.iframe.ly%2FzzyzcMI%3Fapp%3D1 https://code4rena.com/reports/2022-11-paraspace/#m-13-interactions-with-amms-do-not-use-deadlines-for-operations
Manual review
Protocols should allow users to set expiration deadlines; no expiration deadline may create a potential critical loss of funds vulnerability for any user initiating a swap.
Timing
#0 - c4-judge
2023-05-18T02:42:45Z
0xean marked the issue as duplicate of #167
#1 - c4-judge
2023-06-05T14:15:36Z
0xean marked the issue as satisfactory