Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UniSwapper.swapExactOut allows Sandwich attacks (front-run and back-run) #38

Closed
c4-bot-4 opened this issue Jan 20, 2024 · 6 comments
Closed

UniSwapper.swapExactOut allows Sandwich attacks (front-run and back-run) #38

c4-bot-4 opened this issue Jan 20, 2024 · 6 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-4
Copy link
Contributor

c4-bot-4 commented Jan 20, 2024
edited by c4-bot-10
Loading

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/main/src/swappers/UniSwapper.sol#L143

Vulnerability details

Impact

Loss of funds.

Proof of Concept

UniSwapper.swapExactOut

The function swapExactOut tries to do the swap in the same block that it is initiated considering that the deadline is block.timestamp, as shown at [1], this approach carries a lot of Sandwich attacks (front-run and back-run).

This is mainly possible because the lack of a timelock to protect against front-runs and also an expiration time to protect against back-runs. Important to note that the system uses UniSwap V2 and the timelock is a mechanism used by UniSwap V2.

function swapExactOut(
    SwapParams memory swapParams,
    address receiver,
    address refundAddress
  ) public payable routerIsSet returns (uint256 amountIn) {
    swapParams = _receiveAndWrapIfNeeded(swapParams);
    IV3SwapRouter.ExactOutputParams memory params = IV3SwapRouter
      .ExactOutputParams({
        path: swapParams.path,
        recipient: address(this),
        //deadline: block.timestamp,            //[1]
        amountOut: swapParams.amountOut,
        amountInMaximum: swapParams.amountIn
      });

    IERC20(swapParams.tokenIn).approve(uniswap_router, swapParams.amountIn);
    amountIn = IV3SwapRouter(uniswap_router).exactOutput(params);

    // refund sender
    _refundUser(
      refundAddress,
      swapParams.tokenIn,
      params.amountInMaximum - amountIn
    );

    _sendToRecipient(receiver, swapParams.tokenOut, swapParams.amountOut);
  }

Tools Used

Manual review

Recommended Mitigation Steps

Patch

  • This code will add a timelock of 1 minute to the swap and an expiration time of 2 minutes. This means that the swap will not be executed until at least one minute after it is initiated. If the swap is not executed within two minutes, it will be reverted. This will help to protect against back-runs.
function swapExactOut(
  SwapParams memory swapParams,
  address receiver,
  address refundAddress
) public payable routerIsSet returns (uint256 amountIn) {
  swapParams = _receiveAndWrapIfNeeded(swapParams);
  IV3SwapRouter.ExactOutputParams memory params = IV3SwapRouter
    .ExactOutputParams({
      path: swapParams.path,
      recipient: address(this),
      deadline: block.timestamp + 1 minutes, // Add a timelock of 1 minute
      expirationTime: block.timestamp + 2 minutes // Set an expiration time of 2 minutes
    });

  IERC20(swapParams.tokenIn).approve(uniswap_router, swapParams.amountIn);
  amountIn = IV3SwapRouter(uniswap_router).exactOutput(params);

  // refund sender
  _refundUser(
    refundAddress,
    swapParams.tokenIn,
    params.amountInMaximum - amountIn
  );

  // send to recipient
  _sendToRecipient(receiver, swapParams.tokenOut, swapParams.amountOut);
}

Assessed type

Other
@c4-bot-4 c4-bot-4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 20, 2024
c4-bot-4 added a commit that referenced this issue Jan 20, 2024
@c4-bot-4
51l3nt issue #38
0fe5d30
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Jan 23, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #37

@raymondfam
Copy link

Inadequate elaboration. See also #24 on deadline preference.

@c4-judge c4-judge reopened this Feb 2, 2024
@c4-judge
Copy link

c4-judge commented Feb 2, 2024

alex-ppg marked the issue as not a duplicate

@alex-ppg
Copy link

alex-ppg commented Feb 2, 2024

The Warden attempts to describe a potential attack on the swaps performed by the UniSwapper, however, the code they include is invalid and the trades are generally regarded as safe given that they evaluate their minimum outputs / maximum inputs. As such, I consider this submission invalid.

@c4-judge c4-judge closed this as completed Feb 2, 2024
@c4-judge
Copy link

c4-judge commented Feb 2, 2024

alex-ppg marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@alex-ppg @raymondfam @c4-judge @c4-pre-sort @code4rena-admin @c4-bot-4