ThePredicter::makePrediction Function Can FrontRun
Summary
The makePrediction function in the ThePredicter contract may be vulnerable to frontrunning attacks if the function is called close to the prediction closing time. This vulnerability can result in users losing their chance to make a prediction if their transaction is frontrun by an attacker.
Vulnerability Details
The makePrediction function includes a critical time check to ensure that predictions are made before a specified closing time:
https://github.com/Cyfrin/2024-07-the-predicter/blob/main/src/ThePredicter.sol#L85
Issue: If a user submits a prediction close to the closing time, an attacker can monitor the transaction pool and submit a competing transaction with a higher gas fee. This allows the attacker’s transaction to be processed before the legitimate user’s transaction, causing the legitimate transaction to fail due to the time check.
Result: The legitimate user may miss their chance to make a prediction, which can lead to unfair disadvantage and loss of opportunity.
Impact
frontrunning vulnerability can compromise the fairness of the prediction process
Tools Used
Manual Code Review
Recommendations
Implement a Grace Period:
Introduce a short grace period or buffer time beyond the closing time to accommodate minor delays and reduce the likelihood of frontrunning.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.