DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: high
Invalid

Front -running createForceBid

Summary

potential front-running createForcedBid

Vulnerability Details

This function is used to create a bid order for exiting a short position and is only callable by specific contracts. However, the function does not validate the sender of the transaction, which makes it susceptible to front-running attacks. In a front-running attack, a malicious actor can watch the pending transactions pool (mempool) and create a similar transaction with a higher gas price, causing it to be mined before the original transaction. This could allow the attacker to manipulate the price or market conditions to their advantage before the original transaction is processed.

Impact

Tools Used

Manual

Recommendations

To resolve this issue, you should add a modifier to the createForcedBid function that checks if the sender of the transaction is an authorized contract. This can be done by maintaining a list of authorized contracts and checking if the sender is in this list before executing the function. Here is an example of how you can implement this:

// List of authorized contracts
address[] authorizedContracts;
modifier onlyAuthorizedContracts() {
bool isAuthorized = false;
for (uint i = 0; i < authorizedContracts.length; i++) {
if (msg.sender == authorizedContracts[i]) {
isAuthorized = true;
break;
}
}
require(isAuthorized, "Caller is not an authorized contract");
_;
}
function createForcedBid(
address sender,
address asset,
uint80 price,
uint88 ercAmount,
uint16[] calldata shortHintArray
) external onlyDiamond onlyAuthorizedContracts returns (uint88 ethFilled, uint88 ercAmountLeft) {
// function body
}

In this example, onlyAuthorizedContracts is a modifier that loops through the authorizedContracts array and checks if msg.sender is in the list. If msg.sender is not in the list, the function call is reverted with an error message. This ensures that only authorized contracts can call the createForcedBid function, preventing front-running attacks.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.