Curly Eggplant Bee
Medium
The missing deadline check in addLPAndStake will cause gas waste and fund lockup for users as network congestion will allow transactions to execute after the deadline expires.
In addLPAndStake (code link), the _deadline parameter is not validated before token transfers and _zap operations. This allows transactions to proceed with expired deadlines, wasting gas and locking funds.
Users must submit transactions with a _deadline that could expire before mining
Ethereum network congestion causes delayed transaction mining (e.g., during peak usage or MEV activity).
- User submits addLPAndStake with
_deadline = block.timestamp + 10 minutes. - Network congestion delays transaction mining by 15 minutes.
- Token transfers and _zap operations execute, but addLiquidityV2 reverts due to an expired deadline.
- User’s tokens are locked in the contract until manually refunded.
- Users suffer gas waste (500k gas ≈ $50) and temporary loss of access to transferred tokens.
- Protocol accumulates dust tokens, complicating accounting and creating potential attack surfaces.
Alice’s Action:
Alice calls addLPAndStake with _deadline = block.timestamp + 10 minutes (valid for 10 minutes).
She sends 100 IDX tokens and 1 ETH to the contract.
Network Congestion:
Due to high gas prices or MEV activity, Alice’s transaction is delayed and mined 15 minutes later (5 minutes after the deadline expires).
Transaction Execution:
The contract transfers Alice’s tokens and executes _zap (if needed).
When calling addLiquidityV2, the DEX handler checks the deadline and reverts because block.timestamp > _deadline.
Aftermath:
Alice’s 100 IDX tokens and 1 ETH are stuck in the contract until she manually calls a refund function.
She loses gas fees (~50–100) for the failed transaction.
Alice’s funds are temporarily locked, and she incurs unnecessary gas costs.
The protocol’s UX suffers, as users lose trust in transaction reliability.
No response