Skip to content

Latest commit

 

History

History
93 lines (70 loc) · 3.53 KB

028.md

File metadata and controls

93 lines (70 loc) · 3.53 KB

Cheery Holographic Swift

Medium

Lack of slippage control will cause user losses.

Summary

The StablecoinHandler::_stablecoinSwap() function lacks a slippage control mechanism, exposing users to potential losses due to the unexpected price fluctuations or significant transaction delays.

Root Cause

The StablecoinHandler::_stablecoinSwap() function does not implement slippage control, as shown below:

    function _stablecoinSwap(
        address wallet,
        StablecoinSwap memory ss
    ) internal {
        if (
            ss.stablecoinFeeCurrency != address(0) &&
            ss.stablecoinFeeSafe != address(0)
        )
            ERC20PermitUpgradeable(ss.stablecoinFeeCurrency).safeTransferFrom(
                wallet,
                ss.stablecoinFeeSafe,
                ss.feeAmount
            );

        // Handle the transfer or burning of the origin currency:
        // If the origin is a recognized stablecoin (XYZ), burn the specified amount from the wallet.
        if (isXYZ(ss.origin)) {
            Stablecoin(ss.origin).burnFrom(wallet, ss.oAmount);
        } else {
            ERC20PermitUpgradeable(ss.origin).safeTransferFrom(
                wallet,
                ss.liquiditySafe,
                ss.oAmount
            );
        }

        // Handle the minting or transferring of the target currency:
        // If the target is a recognized stablecoin (XYZ), mint the required amount to the destination address.
        if (isXYZ(ss.target)) {
            Stablecoin(ss.target).mintTo(ss.destination, ss.tAmount);
        } else {
            ERC20PermitUpgradeable(ss.target).safeTransferFrom(
                ss.liquiditySafe,
                ss.destination,
                ss.tAmount
            );
        }
    }

Internal pre-conditions

No response

External pre-conditions

Transaction is delayed due to the Polygon network congestion or other causes.

Attack Path

Scenario 1:

  1. Assume the price of 1 eUSD is $1 and the price of 1 eMXN is $0.11.
  2. A user approve a swap of 10 eUSD for 100 eMXN, expecting a profit of $1.
  3. A swapper calls StablecoinHandler::stablecoinSwap() on behalf of the user.
  4. Due to the congestion of Polygon network, the transaction is delayed by 30 minutes.
  5. During this period, the price of eMXN drops to $0.09.
  6. The swap transaction completes, and the user receives 100 eMXN for 10 eUSD. As a result, the user lose his funds by $1.

Scenario 2:

  1. A user needs to pay 100 eMXN as a tax by 12:00 p.m. but only holds 10 eUSD at the time.
  2. The user approve a swap of 10 eUSD for 100 eMXN via the Telcoin app at 11:45 a.m.
  3. A swapper calls StablecoinHandler::stablecoinSwap() for the user immediately.
  4. However, due to the Polygon network congestion, the transaction is delayed by 30 minutes.
  5. The transaction completes at 12:15 p.m., and the user receives 100 eMXN.
  6. Since the eMXN is no longer useful, the user must swap them back to eUSD, paying the protocol fee twice and losing funds in the process.

Impact

In DEXs and AMMs, slippage can significantly impact the trade outcomes. As demonstrated in the examples above, users may lose funds due to the price fluctations or transaction delays if slippage control is not implemented in the swap function.

PoC

No response

Mitigation

Add a deadline parameter to the StablecoinHandler::stablecoinSwap() function and revert the transaction if the deadline expires.