Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Frontrunning Price Vulnerability in trickOrTreat Function

PureSecurity

Summary

In the SpookySwap contract, the owner has the ability to change treat prices at any time, including just before a user initiates a purchase transaction in the trickOrTreat function. This introduces a frontrunning vulnerability, where the owner could observe a user’s intent to buy a treat and quickly raise the treat’s price before the purchase is finalized. This could result in users unknowingly paying more than expected due to last-minute price changes by the owner.

Vulnerability Details

The setTreatCost function allows the contract owner to adjust treat prices in treatList without restrictions. If the owner observes a transaction attempting to buy a treat, they could frontrun that transaction by raising the price, forcing the user to pay the newly increased amount. The user, expecting to pay the initial price at the time of transaction initiation, may end up overpaying if the owner modifies the price during the transaction's confirmation window.

Key Issue:

Unrestricted Price Change: The owner can change the treat’s price at any time, including just before a purchase transaction, exploiting their unique position to adjust prices based on user demand.

Impact

User Overpayment: Users may end up paying more than they anticipated, impacting their experience and potentially leading to financial losses.

Loss of Trust: Users may perceive the contract as exploitative, particularly if they experience unexpected price hikes during their transactions.
Decreased Transparency: The unrestricted price change functionality can reduce confidence in the platform’s pricing integrity, as users cannot rely on stable pricing during purchases.

Tools Used

Manual Review

Recommendations

Implement Fixed Prices Per Session:

Lock the treat’s current price in trickOrTreat at the start of each transaction, preventing the owner from modifying the price for that transaction once it begins. This ensures that each user pays the exact price they observed when initiating the purchase.

uint256 lockedPrice = treatList[_treatName].cost;

Updates

Appeal created

bube Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] Change cost between the call of trickOrTreat and resolveTrick

Only the owner has the rights to change the cost of the treat. Therefore it is assumed that the owner will not change the cost of the pending NFTs. The owner role is trusted.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.