potential front-running createForcedBid
This function is used to create a bid order for exiting a short position and is only callable by specific contracts. However, the function does not validate the sender of the transaction, which makes it susceptible to front-running attacks. In a front-running attack, a malicious actor can watch the pending transactions pool (mempool) and create a similar transaction with a higher gas price, causing it to be mined before the original transaction. This could allow the attacker to manipulate the price or market conditions to their advantage before the original transaction is processed.
Manual
To resolve this issue, you should add a modifier to the createForcedBid
function that checks if the sender of the transaction is an authorized contract. This can be done by maintaining a list of authorized contracts and checking if the sender is in this list before executing the function. Here is an example of how you can implement this:
In this example, onlyAuthorizedContracts
is a modifier that loops through the authorizedContracts
array and checks if msg.sender
is in the list. If msg.sender
is not in the list, the function call is reverted with an error message. This ensures that only authorized contracts can call the createForcedBid
function, preventing front-running attacks.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.