SCWE-090: Missing Slippage Protection in Automated Token Swaps
Stable Version v1.0
This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Relationships¶
- CWE-20: Improper Input Validation CWE-20 Link
Description¶
This weakness occurs when smart contracts execute token swaps through DEX routers (e.g., Uniswap, PancakeSwap, SushiSwap) with the amountOutMin parameter set to 0 or a hardcoded static value. This disables slippage protection and allows trades to execute regardless of adverse price movement. As a result, users or protocols may receive significantly fewer tokens than expected, especially under high volatility, front-running, or sandwich attack conditions.
Remediation¶
- Always validate amountOutMin based on live price quotes (e.g., using on-chain oracles or pre-trade estimates).
- Allow users to configure slippage tolerance (0.5%, 1%, etc.), and enforce it in contract logic.
- Never hardcode 0 or static values for amountOutMin.
Examples¶
-
Vulnerable Code (Missing Slippage Protection)
function swapTokens(address tokenIn, address tokenOut, uint256 amountIn) external { IERC20(tokenIn).approve(address(uniswapRouter), amountIn); address[] memory path = new address[](2); path[0] = tokenIn; path[1] = tokenOut; // ❌ amountOutMin is set to 0 → no protection against slippage uniswapRouter.swapExactTokensForTokens( amountIn, 0, // Vulnerable: accepts any output amount path, msg.sender, block.timestamp ); } -
Safe Code (With Slippage Protection)
function swapTokensWithSlippage( address tokenIn, address tokenOut, uint256 amountIn, uint256 minAmountOut ) external { IERC20(tokenIn).approve(address(uniswapRouter), amountIn); address[] memory path = new address[](2); path[0] = tokenIn; path[1] = tokenOut; // ✅ Enforces user-provided slippage tolerance uniswapRouter.swapExactTokensForTokens( amountIn, minAmountOut, // Safe: requires a minimum output path, msg.sender, block.timestamp ); }