Front running attacks
Summary
Functions that can be front run to cause problems or unexpected behaviours
Vulnerability Details
changeFeeAddress can be front run => lets assume owner wants to change fee address to collect fees into a new address as the old address is not trusted anymore or is misbehaving. The old address owner can see the call to changeAddress in memepool and immediately call withdrawFees() as it can be called by anyone, offering a higher gas price so that it is first in line so fees go to the old address before the address is changed to new address
selectWinner is also open to front running as miner seeing transaction called in memepool can call function themselves o manipulate the weak randomness to ensure selected index is theirs of their preferred address and win the raffle.
Impact
Unexpected and wrong behaviours e.g old Fee account can still collect fees when intention was to send fees to new fee account.
Tools Used
Manual Analysis
Recommendations
e.g withdrawFees must be access controlled or timelocked to allow checks sending to correct address or ability to make changes to address to be sure before sending
Lead Judging Commences
selectWinner can be frontran
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.