Unspecified slippage allows sandwich attacks

[codehawks-bot]

Unspecified slippage allows sandwich attacks

Severity

High Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol#L26-L44

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol#L38

Summary

The lack of a slippage value allows attackers to sandwich attack the transaction and extract the value.

Vulnerability Details

The swap in Fees.sol the sellProfits function executes a swap on Uniswap, but the amountOutMinimum value, which is accountable for slippage protection is at 0, which allows the swap to yield 0 tokens in return for the amount provided. This allows for MEVs to pick the transaction up from the mempool and to sandwich it by manipulating the pool, in which the swap is happening.

function sellProfits(address _profits) public {
        require(_profits != WETH, "not allowed");
        uint256 amount = IERC20(_profits).balanceOf(address(this));

        ISwapRouter.ExactInputSingleParams memory params = ISwapRouter
            .ExactInputSingleParams({
                tokenIn: _profits,
                tokenOut: WETH,
                fee: 3000,
                recipient: address(this),
                deadline: block.timestamp,
                amountIn: amount,
                amountOutMinimum: 0, //@audit 0 as a slippage amount makes this swap very vulnerable to sandwich attacks
                sqrtPriceLimitX96: 0
            });

        amount = swapRouter.exactInputSingle(params);
        IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
}

Impact

The amount getting swapped will be completely lost.

Tools Used

Manual Review

Recommendations

Consider setting amountOutMinimum to some appropriate value, that includes a conservative amount of tolerance for price impact.