'function bid' it is susceptible to front-running attacks due to the bid amount is visible in the mempool before the transaction is confirmed.
##Summary
The bid function is susceptible to front-running attacks because the bid amount is visible in the mempool before the transaction is confirmed. A malicious bidder can exploit this by monitoring the mempool and submitting a higher bid with a higher gas fee to outbid others unfairly.
##Vulnerability Details
-
Place a bid using the
bidfunction. -
Monitor the mempool for pending transactions.
-
Submit a higher bid with a higher gas fee before the initial bid is confirmed.
Let's look in a scenerio where by a genuine-bidder places a bid of 200
FjordPoints, A malicious bidder can observe this bid and submit a higher bid of 250FjordPointswith a higher gas fee before A genuine-bidder's bid is confirmed, thereby winning the auction unfairly.
##Impact
A Malicious bidder can observe pending bids and submit higher bids with higher gas fees, winning the auction unfairly.
##Tools Used
Manual
##Recommendations
Implement a commit-reveal scheme to hide bid amounts during the bidding phase. Bidders should first commit to a bid via a hash and reveal their bids after the commit phase ends.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.