Slippage Protection
Detects missing slippage protection in token swap operations.
Slippage Protection
Overview
The slippage protection detector identifies token swap operations that lack minimum output amount validation. Swaps without proper slippage bounds can result in significant value loss due to frontrunning, sandwich attacks, or market volatility.
For remediation guidance, see Slippage Protection Remediation.
Why This Is an Issue
Token swaps on Solana DEXes execute at the current market price. Without a minimum output amount, the actual received amount can differ drastically from the expected amount. Attackers exploit this through sandwich attacks: they move the price before the victim’s swap, let the victim execute at the worse price, then reverse their position. Hardcoded slippage values above 5% are also flagged as overly permissive.
How to Resolve
Before (Vulnerable)
// Vulnerable: swap without minimum output
pub fn swap(ctx: Context<Swap>, amount_in: u64) -> Result<()> {
let output = execute_swap(&ctx.accounts.pool, amount_in)?;
token::transfer(ctx.accounts.into_ctx(), output)?;
Ok(())
}After (Fixed)
// Fixed: user-supplied minimum output
pub fn swap(ctx: Context<Swap>, amount_in: u64, min_amount_out: u64) -> Result<()> {
let output = execute_swap(&ctx.accounts.pool, amount_in)?;
require!(output >= min_amount_out, ErrorCode::SlippageExceeded);
token::transfer(ctx.accounts.into_ctx(), output)?;
Ok(())
}Example JSON Finding
{
"detector": "slippage-protection",
"severity": "high",
"confidence": 0.85,
"message": "Token swap CPI without minimum output amount validation",
"location": { "function": "swap", "block": 0, "statement": 2 }
}Detection Methodology
- Swap CPI identification: Detects CPI calls to known DEX programs (Raydium, Orca, Jupiter).
- Output comparison search: Looks for comparison operations on the swap output against a minimum threshold.
- Hardcoded slippage detection: Flags hardcoded percentage-based slippage values exceeding 5%.
- Missing bounds analysis: Verifies that swap outputs are checked before token transfers.
Limitations
False positives: Programs using Jupiter aggregator routes may have slippage checked in the aggregator rather than the calling program. False negatives: Custom DEX implementations with non-standard interfaces may not be recognized.
Related Detectors
- MEV Vulnerabilities — broader MEV exploitation
- Price Impact — large trade price impact