saidam017
high
The USSD's UniV3SwapInput() executes swaps without slippage protection and not defining deadline. For missing slippage protection, will cause a loss of funds caused by sandwich attacks. For missing deadline, it will cause transaction to be reverted.
The USSD's UniV3SwapInput() is crucial function inside rebalancing process, it will be used for either buy or sell collateral for USSD. However, the current UniV3SwapInput() defined with 0 value for amountOutMinimum and not defining deadline.
For deadline, need to provide with current block.timestamp or sensible time buffer. For Slippage however, amountOutMinimum need to be calculated outside of the swap transaction. Otherwise, it uses the already modified pool values to calculate the min out value.
Because deadline is not defined, will use default value 0, and the deadline is checked inside the Uniswap exactInput() call, the function will revert :
modifier checkDeadline(uint256 deadline) {
require(_blockTimestamp() <= deadline, 'Transaction too old');
_;
}For amountOutMinimum with 0 value, can cause rebalance process vulnerable to sandwich attacks.
Manual Review
Provide the necessary deadline, and for amountOutMinimum, consider it can be defined by control role for each collateral token.