DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Front -running createForceBid

0xch

Summary

potential front-running createForcedBid

Vulnerability Details

This function is used to create a bid order for exiting a short position and is only callable by specific contracts. However, the function does not validate the sender of the transaction, which makes it susceptible to front-running attacks. In a front-running attack, a malicious actor can watch the pending transactions pool (mempool) and create a similar transaction with a higher gas price, causing it to be mined before the original transaction. This could allow the attacker to manipulate the price or market conditions to their advantage before the original transaction is processed.

Impact

Tools Used

Manual

Recommendations

To resolve this issue, you should add a modifier to the createForcedBid function that checks if the sender of the transaction is an authorized contract. This can be done by maintaining a list of authorized contracts and checking if the sender is in this list before executing the function. Here is an example of how you can implement this:

// List of authorized contracts

address[] authorizedContracts;

modifier onlyAuthorizedContracts() {

bool isAuthorized = false;

for (uint i = 0; i < authorizedContracts.length; i++) {

if (msg.sender == authorizedContracts[i]) {

isAuthorized = true;

break;

}

require(isAuthorized, "Caller is not an authorized contract");

}

function createForcedBid(

address sender,

address asset,

uint80 price,

uint88 ercAmount,

uint16[] calldata shortHintArray

) external onlyDiamond onlyAuthorizedContracts returns (uint88 ethFilled, uint88 ercAmountLeft) {

// function body

}

In this example, onlyAuthorizedContracts is a modifier that loops through the authorizedContracts array and checks if msg.sender is in the list. If msg.sender is not in the list, the function call is reverted with an error message. This ensures that only authorized contracts can call the createForcedBid function, preventing front-running attacks.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.