Missing Deadline
Detects DEX and AMM swap operations that lack transaction deadline validation, allowing pending transactions to execute at stale prices.
Missing Deadline
Overview
The missing deadline detector identifies swap and liquidity operations that do not check block.timestamp against a user-provided deadline. Without a deadline, a transaction can sit in the mempool for hours or days and execute at a price far from what the user expected — either due to natural market movement or deliberate withholding by validators.
Why This Is an Issue
Users submit swap transactions with an expected price based on current market conditions. If the transaction is delayed (due to low gas price, network congestion, or validator censorship), the market price may have moved significantly. Without a deadline check, the swap executes at whatever price exists when the transaction is finally included, which may be far worse than the user’s expectation.
How to Resolve
// Before: Vulnerable — no deadline
function swap(uint256 amountIn, uint256 minOut) external returns (uint256) {
// Could execute hours later at a different price
return _executeSwap(amountIn, minOut);
}
// After: Fixed — deadline enforced
function swap(uint256 amountIn, uint256 minOut, uint256 deadline) external returns (uint256) {
require(block.timestamp <= deadline, "Transaction expired");
return _executeSwap(amountIn, minOut);
}Detection Methodology
- Swap function identification: Identifies functions that perform token exchanges based on transfer patterns.
- Deadline parameter check: Searches for
block.timestampcomparison against a function parameter. - Modifier detection: Checks for
ensure(deadline)or similar modifier patterns. - Confidence scoring: Swap functions with no timestamp check receive highest confidence.
Limitations
False positives: Internal swap functions called by deadline-protected outer functions may be flagged. False negatives: Custom deadline mechanisms (e.g., stored in a struct or passed via encoded bytes) may not be recognized.
Related Detectors
- Slippage Validation — detects missing minimum output checks
- Sandwich Attack — detects sandwich attack vulnerability
- Timestamp Dependence — detects timestamp manipulation risks