Skip to content

Latest commit

 

History

History
51 lines (32 loc) · 1.39 KB

041.md

File metadata and controls

51 lines (32 loc) · 1.39 KB

Fast Khaki Raccoon

High

MEV bots will steal from users due to an incorrectly manipulated value

Summary

MEV bots will steal from users due to an incorrectly manipulated value

Root Cause

Upon calling Zapper::_zap() to handle a transfer of a different token, we have the following code which is for a direct swap in a Uniswap V3 pool:

else {
        _amountOut = _swapV3Single(_in, _getPoolFee(_poolInfo.pool1), _out, _amountIn, _amountOutMin);

}

The _amountOutMin is provided by the user as slippage. The issue is that upon calling _swapV3Single(), we have the following code:

uint256 _finalSlip = _slippage[_v3Pool] > 0 ? _slippage[_v3Pool] : _defaultSlippage;
...
DEX_ADAPTER.swapV3Single(_in, _out, _fee, _amountIn, (_amountOutMin * (1000 - _finalSlip)) / 1000, address(this));

As seen, the provided minimum amount is manipulated and decreased further.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

  1. User provides 100 tokens to swap and wants at least 90 in return
  2. The 90 minimum tokens input is decreased by _finalSlip percentage, resulting in the user receiving less than what he provided

Impact

Theft of funds from innocent users who have done nothing wrong

PoC

No response

Mitigation

Do not manipulate the value for users who provided a specific amount of minimum tokens to receive