Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Front-Running Attack on PreMarkets.sol:: createOffer()

sidhack3r11

Summary

Front-running is an attack where an adversary leverages the visibility of pending transactions to prioritize their own transactions with better terms. In the PreMarkets contract, this vulnerability allows attackers to exploit the public nature of the transaction mempool to outpace legitimate offers, thereby gaining an unfair advantage.

Vulnerability Details

Offer Creation:

A legitimate user creates an offer using the createOffer function. This offer is visible in the mempool before being confirmed on the blockchain.

Monitoring:
- An attacker monitors the mempool for new transactions interacting with the PreMarkets contract.
Front-Running Transaction:
- The attacker submits a similar offer with better terms and a higher gas fee to ensure their transaction is mined before the victim’s offer.
Victim’s Offer Processed:
- The victim’s offer is processed after the attacker’s, making it less attractive or redundant.
Attack Outcome:
- The attacker benefits by securing a more favorable position in the market, possibly taking over the victim's offer or allowing others to disregard the victim's less competitive offer.

Proof of Concept

A proof of concept for this vulnerability involves:

Observing pending transactions on the network.
Placing a transaction with a higher gas price to ensure it gets mined before the observed transactions.
Exploiting the manipulated market conditions to benefit from the altered state.

Impact

The impact of this vulnerability can be significant, including but not limited to:

Market Manipulation: Attackers could exploit the vulnerability to alter market conditions or prices by strategically placing transactions before others.
Financial Loss: Users may experience financial losses due to manipulated market conditions, unfair advantages, or lost opportunities.
Reputation Damage: The integrity of the PreMarkets platform could be compromised, leading to loss of trust from users and stakeholders.

Tools Used

Manual Review

Recommendations

To mitigate the risk of front-running attacks, consider implementing the following strategies:

Transaction Ordering Protection: Implement mechanisms such as commit-reveal schemes or batch auctions to obscure transaction details until they are finalized.
Privacy Enhancements: Use techniques to enhance transaction privacy and reduce visibility into pending transactions, such as zero-knowledge proofs or off-chain computation.
Gas Price Control: Introduce measures to prevent malicious actors from manipulating transaction ordering based on gas prices.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!