Summary

potential front-running createForcedBid

Vulnerability Details

This function is used to create a bid order for exiting a short position and is only callable by specific contracts. However, the function does not validate the sender of the transaction, which makes it susceptible to front-running attacks. In a front-running attack, a malicious actor can watch the pending transactions pool (mempool) and create a similar transaction with a higher gas price, causing it to be mined before the original transaction. This could allow the attacker to manipulate the price or market conditions to their advantage before the original transaction is processed.

Impact

Tools Used

Manual

Recommendations

To resolve this issue, you should add a modifier to the createForcedBid function that checks if the sender of the transaction is an authorized contract. This can be done by maintaining a list of authorized contracts and checking if the sender is in this list before executing the function. Here is an example of how you can implement this:

In this example, onlyAuthorizedContracts is a modifier that loops through the authorizedContracts array and checks if msg.sender is in the list. If msg.sender is not in the list, the function call is reverted with an error message. This ensures that only authorized contracts can call the createForcedBid function, preventing front-running attacks.