Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

relisting can be used to DOS legitimate buyers by frontrunning

mangocola

Summary

purchase can be frontrunned and someone can call relisting to DOS buyers. This can have a lasting impact as purchases are made by the AI agent and one failed purchase could make the whole transaction reverted and affect the buyer's earnings.

Vulnerability Details

Example attack scenario:

// Time 1: Asset listed for Buyer A at 1 ETH
listings[asset].buyer = BuyerA;
// Time 2: Buyer A submits purchase
// mempool: purchaseTx = {from: BuyerA, gas: 100}
// Time 3: Seller front-runs with relist
// mempool: relistTx = {from: Seller, gas: 200, newBuyer: BuyerB}
// Time 4: relistTx executes first
listings[asset].buyer = BuyerB;
// Time 5: purchaseTx fails
// reverts because msg.sender (BuyerA) != listings[asset].buyer (BuyerB)

we can create malicious sellers with fake things ti sell who keep on resliting to another buyer ( can be his own account and dosing the purchase whenever the llm selects on of the assets to be the malicious one)

Impact

Legitimate buyers cannot complete purchases
Market manipulation possible
Sellers can grief buyers at will
Undermines market reliability

Tools Used

Code review

Recommendations

Updates

Lead Judging Commences

inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.