Devoured by Bots: How a Missing Parameter Enabled 100% MEV Leakage in a DeFi Zap Contract

A smart contract audit finding reveals a critical vulnerability in a Uniswap v4-based DeFi Zap contract where missing slippage protection on an internal swap enabled 100% MEV leakage via sandwich attacks. The StableSwapZapIn contract protected the final LP token minting step but left the intermediate token swap completely unguarded by setting sqrtPriceLimitX96 to its absolute extreme. This allowed MEV bots to front-run user transactions, inflate token prices, and extract nearly all deposited value. The fix requires accepting a user-defined minTokenBOut parameter for every internal swap, not just the final liquidity provision step. Key takeaway: every AMM interaction in a multi-step contract must have explicit slippage limits.